Pulse Secure VPN vulnerability targeted with ransomware

A security researcher has discovered new ransomware attacks against enterprises with vulnerable Pulse Secure VPN servers.

Kevin Beaumont, a security researcher based in the U.K., said the Pulse Secure VPN vulnerability -- which was originally patched in April 2019 -- has been targeted in ransomware attacks recently. Beaumont noted in a blog post that he saw two incidents last week where the impacted companies "believed Pulse Secure was the cause of a breach, and used to deliver Sodinokibi (REvil) ransomware."

"In both cases the organisations had unpatched Pulse Secure systems, and the footprint was the same -- access was gained to the network, domain admin was gained, VNC [virtual network computing] was used to move around the network, and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via psexec," Beaumont wrote.

He added that the recent ransomware attack against Travelex, a foreign exchange company based in London, was potentially due to the Pulse Secure VPN vulnerability because he found the company had seven unpatched servers. There was one incident in which Beaumont said the Pulse Secure VPN vulnerability was confirmed exploited to deliver ransomware, but no details were given for that attack. 

Pulse Secure said in a statement that it is urging "all customers to apply the patch fix."

"Pulse Secure publicly provided a patch fix on April 24, 2019, that should be immediately applied to the Pulse Connect Secure (VPN)," Scott Gordon, chief marketing officer at Pulse Secure, said. "The CVE-2019-1150 vulnerability is highly critical. Customers that have already applied this patch would not be vulnerable to this malware exploit."