In April 2019, Pulse Secure issued a security advisory for its VPN application. According to the advisory, multiple bugs had been found that could bypass authentication, allow file access and even remote code execution. Public proof of concept exploits were made available in August, increasing the need to patch. Soon after the exploit was made available, researchers noticed an increase in scans being run to detect vulnerable systems. At the time, Bad Packets had run their own scan and concluded that there were almost 15,000 vulnerable servers across the world. By October, multiple agencies (including the NSA) had also issued warnings to patch the recent vulnerabilities against Pulse Secure VPN client. Kevin Beaumont has been following the issues and believes that unpatched Pulse Secure VPN clients may also be the cause for multiple recent REvil/Sodinokibi infections. As of this writing, there are still over a thousand devices still vulnerable to clients online.
Analyst Notes
Businesses using Pulse Secure should immediately read the security advisory on Pulse Secure’s website to determine whether or not an update is needed. All affected versions are listed. AV (Anti-Virus) solutions should be kept up-to-date as well. Consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Utilizing an EDR solution or an MDR (managed detection and response) can help spot threats before they spread too far. Many forms of ransomware also seek out network attached drives when encrypting files; backups should be done periodically and stored offline in a secure location.
Source: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/, https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9