Critical VPN vulnerability prompts CISA to "strongly urge" updating now
The United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert that strongly urges users and administrators alike to update a VPN with long-since disclosed critical vulnerabilities. "Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability," the CISA alert warns, "can become compromised in an attack." What has dictated the need for this level of Government agency interest and the urgency of the language used? The simple answer is the ongoing Travelex foreign currency exchange cyber-attack, thought to have been facilitated by no less than seven VPN servers that were late in being patched against this critical vulnerability. The vulnerability in question is CVE-2019-11510, first disclosed way back in April 2019 when Pulse Secure VPN also released a patch to fix it.
Critical VPN security vulnerability timeline
The CISA alert provides a telling timeline that outlines how the Pulse Secure VPN critical vulnerability, CVE-2019-11510, became such a hot security potato. Pulse Secure first released an advisory regarding the vulnerabilities in the VPN on April 24, 2019. "Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS)," that advisory warned, "this includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway." An upgrade patch to fix the problem, which had been rated as critical, was made available at the same time. Warning users that the vulnerabilities posed a "significant risk to your deployment," Pulse Secure recommended patching as soon as possible.
On July 31, 2019, the CISA alert reports that an exploit was demonstrated, and on August 24, 2019, more than 14,500 vulnerable VPN servers were found to be unpatched around the world still. By October 7, 2019, the National Security Agency (NSA) had issued an advisory regarding mitigation against VPN products being actively targeted by advanced persistent threat (APT) actors. APT actors are often associated with highly organized criminal gangs or state-sponsored threats such as the North Korean APT group that Microsoft recently dealt a powerful counterpunch.
The Sodinokibi ransomware attacks
Ransomware is nothing new, but it remains a high-impact cyber threat as the Federal Bureau of Investigation (FBI) warned in 2019. The criminals behind a spate of Sodinokibi ransomware attacks have indeed demonstrated that in 2020. Officials from Albany International Airport confirmed January 9 that a Christmas Day ransomware attack had occurred; that attack was using Sodinokibi.
Airports are not the only Sodinokibi target though, as foreign currency exchange Travelex knows only too well. The London-based exchange operates at plenty of airport locations, of course, but also partners with many high street banks to provide currency exchange services. On New Year's Eve, Travelex was forced to shut down its systems to prevent the spread of the ransomware, with airport locations, website and the Travelex app all being impacted. It is currently facing a ransomware demand that is reported to have doubled from the original $3 million (£2,296,000) to $6 million (£4,592,000) with the threat of data being released or sold if the demands are not met.
The industry expert opinion on securing "mission-critical" VPN deployment
"VPN is one of those services which should be deemed mission-critical," Ian Thornton-Trump, CISO at threat intelligence specialist Cyjax, says. "My guess is that change management 'test and deploy' is tough for VPN technology as the remote workplace becomes a huge coordination challenge," Thornton-Trump continues, "what we may be seeing is the impact of poor asset management and many businesses not knowing what they have in place or what their businesses existing VPN technology is built on."
There is no escaping that there was plenty of threat intelligence surrounding this vulnerability, and that includes being aware of active exploitation in the wild. Even so, Thornton-Trump concludes, "some organizations will be surprised to see this stuff and even more surprised when it’s pwnd."
As the Cybersecurity and Infrastructure Security Agency alert quite categorically states: "CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes." The bottom line, according to CISA, is that "this vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates."
