In April 2019, Pulse Secure issued a security advisory for its VPN application. According to the advisory, multiple bugs had been found that could bypass authentication, allow file access and even remote code execution. Public proof of concept exploits were made available in August, increasing the need to patch. Soon after the exploit was made available, researchers noticed an increase in scans being run to detect vulnerable systems. At the time, Bad Packets had run their own scan and concluded that there were almost 15,000 vulnerable servers across the world. By October, multiple agencies (including the NSA) had also issued warnings to patch the recent vulnerabilities against Pulse Secure VPN client. Kevin Beaumont has been following the issues and believes that unpatched Pulse Secure VPN clients may also be the cause for multiple recent REvil/Sodinokibi infections. As of this writing, there are still over a thousand devices still vulnerable to clients online.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for