Networks Still At Risk Despite Patching Pulse Secure VPN

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has released an updated alert regarding CVE-2019-11510 . The vulnerability, which has been widely exploited, affects Pulse Secure virtual private network (VPN) appliances and allows threat actors to remotely bypass authentication, access arbitrary files, and perform remote code execution. CISA has identified that threat actors who successfully exploited the vulnerability will still have access to—and can maintain the capability of—lateral movement within organizational networks, despite patches being applied, if compromised credentials were not changed. CISA has also observed threat actors maintaining persistence through scheduled tasks and remote access trojans, exfiltrating data files, and successfully dropping ransomware at hospitals and US Government entities. Furthermore, threat actors were observed using remote administration tools, such as TeamViewer and LogMeIn, as makeshift backdoors to gain persistence on victim networks if they lost their primary means of access.

Recommendations

The NJCCIC urges administrators to review the IOCs, technical details, and mitigation strategies found in the CISA alert and ensure patches have been applied to affected Post Pulse Secure VPN devices. Additionally, we suggest reviewing logs to detect intrusions and mandate password changes to any compromised user accounts.