Patch or Perish: VPN Servers Hit by Ransomware AttackersPulse Secure Says Critical April 2019 Patch Protects Against Sodinokibi Too
Stop me if you've heard this one before: Unpatched servers are getting hacked by malware-wielding attackers.
Recently, that includes attackers hitting unpatched Pulse Secure VPN servers with Sodinokibi - aka REvil - ransomware, warns British security researcher Kevin Beaumont (@gossithedog). While fixes for the flaws have long been available, at least several thousand internet-connected servers remain unpatched, he says.
"I follow 'big game' ransomware and general cyberattacks, as I work in corporate cybersecurity, so want to know what attackers are up to," Beaumont said in research published Saturday.
The answer is that some attackers have been targeting Active Directory credentials as part of their ransomware-infection efforts, as well as using Virtual Network Computing to remotely control PCs, and the free PsExec command-line tool for remotely executing processes on local systems.
"Earlier this week I’ve seen two notable incidents where they believed Pulse Secure was the cause of a breach, and used to deliver Sodinokibi," he wrote. "In both cases, the organizations had unpatched Pulse Secure systems, and the footprint was the same - access was gained to the network, domain admin was gained, VNC was used to move around the network (they actually installed VNC via PsExec, as java.exe), and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via PsExec."
On Saturday, Troy Mursch of Chicago-based threat intelligence firm Bad Packets reported that his internet scans have identified 3,825 Pulse Secure VPN servers that remain at risk because they have not been updated with a patch to fix a critical vulnerability, designated CVE-2019-1150.
Total vulnerable Pulse Secure VPN servers by country:— Bad Packets Report (@bad_packets) January 4, 2020
United States: 1,316
United Kingdom: 221
South Korea: 203
Hong Kong: 93
All others: 985https://t.co/sOuyPywPCD
"Several thousand Pulse Secure servers are still online, including extremely high-profile U.S. and U.K. companies," some of which are telecommunications firms and managed service providers, Beaumont tweeted on Saturday. "Patch."
'Highly Critical' Flaws
The patch for Pulse Secure VPN servers - as with critical patches for VPN servers built by Fortinet and Palo Alto that have also required updates to fix serious flaws since last year - has been available for months.
"Pulse Secure publicly provided a patch fix on April 24, 2019, that should be immediately applied to the Pulse Connect Secure (VPN)," Scott Gordon, chief marketing officer at Pulse Secure, says in a statement. "The CVE-2019-1150 vulnerability is highly critical. Customers that have already applied this patch would not be vulnerable to this malware exploit. As we have communicated earlier, we urge all customers to apply the patch fix."
Pulse Secure's statement was issued in response to Beaumont's research and reports - including in ZDNet - on his findings.
The State of Patching
In August 2019, Bad Packets reported that 14,528 Pulse Secure VPN servers remained vulnerable to CVE-2019-11510. It said vulnerable servers traced to at least 2,535 organizations, "including government agencies, universities and numerous Fortune 500 companies," and that it had sent more specific details to multiple national computer emergency response teams.
The good news is that many of those devices have now been patched, with Pulse Secure estimating that fewer than 10 percent of customers have yet to do so.
"As of early January, the majority of our customers have successfully applied the patch fix and are no longer vulnerable," Gordon says. "But unfortunately, there are organizations that have yet to apply this patch. … We continue to request customers to apply the April patch fix to their VPN systems - this server-side patch does not require updating the client."
Western Intelligence Agencies Sound Alert
In case there was any question about the risk facing organizations if they failed to patch critical flaws in VPN servers, in October 2019, the U.S. National Security Agency and Britain's National Cyber Security Center issued alerts telling organizations to do so right away.
They warned that attackers were actively exploiting serious flaws in three VPN products: Pulse Secure, Palo Alto GlobalProtect and Fortinet Fortigate. Patches had been released to fix all of the flaws, which came to light in 2019 (see: NSA Is Latest Intelligence Agency to Sound VPN Patch Alarm).
"Multiple nation-state advanced persistent threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices," the NSA's alert warned, referring to two flaws in the firmware that runs Pulse Connect Secure devices and one in the firmware for Fortinet devices. By the time of those alerts, fixes had already long been issued by the vendors.
Fortinet VPN Servers Unpatched Too
Patching of Fortinet servers is also incomplete, with many still remaining vulnerable to CVE-2018-13379 - designated FG-IR-18-384 by the vendor - which enables attackers to easily steal plaintext passwords and usernames from servers.
Incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements, says that as of Tuesday, his internet scans have counted 206,000 Fortinet VPN servers globally that have HTTP-accessible login pages, of which 16,223 appear to remain unpatched, down from 22,000 in October 2019. Looking at a country level, 3,702 unpatched servers are located in the U.S., and 438 in the U.K., he says.
Travelex Attack Tied to Sodinokibi
Numerous organizations still don't appear to have gotten the "patch or perish" message, or to have only gotten it belatedly.
One recent Sodinokibi victim was reportedly foreign exchange firm Travelex, which suffered a ransomware infection on New Year's Eve. Travelex is owned by the financial services group Finabir, based in Abu Dhabi, and the attack against it disrupted foreign exchange operations in numerous banks, the BBC reports, including leaving Barclays, HSBC, Sainsbury's Bank, Tesco Bank and Virgin Money unable to accept online money-exchange orders.
As of Tuesday, Travelex's website resolved to a page that read: "Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly." That replaced a Microsoft Internet Information Services error-message page that had been appearing after the attack.
Travelex’s AWS platform had Windows servers with RDP enabled to internet and NLA disabled, oops. pic.twitter.com/UJz7pQJwx6— Kevin Beaumont (@GossiTheDog) January 2, 2020
The Guardian reports that the company's Sodinokibi-wielding attackers have demanded $3 million in return for the promise of being provided with a decryption tool.
Bad Packets' Mursch tells ComputerWeekly that Travelex had seven Pulse Secure VPN servers - in Australia, the Netherlands, the U.K. and the U.S. - that it failed to patch against CVE-2019-11510 until November 2019, although he said it had been directly warned before that.
The FBI recently warned that ransomware attackers may gain access to targeted networks and lurk for months before unleashing an attack timed to have maximum impact and thus drive victims to pay. In other words, by the time Travelex patched, a Sodinokibi gang may have already established a foothold in its network and decided that Dec. 31, 2019, was the optimal attack date.
Travelex's attackers, however, apparently had multiple potential hacking options, including via its Amazon Web Services infrastructure, which they could have accessed via remote desktop protocol. "Travelex’s AWS platform had Windows servers with RDP enabled to internet and NLA disabled, oops," Beaumont tweets. Network-level authentication - NLA - can be used to require that someone attempting to connect to a server via RDP first authenticate themselves.
Using NLA would have been a good option, because hackers can often buy or brute-force RDP credentials via cybercrime marketplaces to gain easy, remote access into enterprise networks (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits).
Repeat Target: MSPs
The list of organizations running unpatched VPN servers, as noted, includes MSPs. That's a big concern because they remain a top target for at least one affiliate individual - or gang - of Sodinokibi, which is a ransomware-as-a-service operation. For every ransom that gets paid, the RaaS operators take a cut, then give the rest to the responsible affiliate (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).
Hitting MSPs is a popular option, because for attackers, that one organization can be a gateway to hundreds of other potential victims. As a bonus, many MSPs have already installed remote-connectivity software on the PCs they manage, which can be subverted to push crypto-locking malware (see: Texas Ransomware Responders Urge Remote Access Lockdown).
"It's been devastating, because when they do get into an MSP, they hit hundreds of companies, sometimes simultaneously, [generating] very high return on the attack, rather than just hitting the MSP, which is also a small business," Bill Siegel, CEO of ransomware response firm Coveware, has told Information Security Media Group. "They're hitting hundreds of small organizations at a time."