Health-ISAC Vulnerability Bulletin
Date: April 17, 2020
TLP: White
Event: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
Summary:
On April 16, 2020, DHS Cybersecurity and Infrastructure Security Agency
(CISA) published an Activity Alert “Continued threat actor exploitation post
Pulse Secure VPN patching”, AA20-107A. The Alert provides an update to CISA
Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability,
which advised organizations to immediately patch CVE-2019-11510-an arbitrary
file reading vulnerability affecting Pulse Secure virtual private network
(VPN) appliances. CISA is providing this update to alert enterprises that
threat actors who successfully exploited CVE-2019-11510 and stole a Pulse
VPN credential will still be able to access-and move laterally through-that
organization’s network even after they patched this vulnerability if the
organization did not change those stolen credentials.
Health-ISAC shared a Threat Bulletin on August 21, 2019, that referenced how
the DEVCORE cybersecurity research team demonstrated exposure to critical
vulnerabilities in each of three popular enterprise VPN services, due to
their common use of exposed SSL certificates and processes. The
demonstration was presented originally at the 2019 Blackhat and DEF CON
conferences in Las Vegas, NV, (August 7, and August 9, 2019).
Analysis:
The CISA Activity Alert (AA20-107A) provides new detection methods for this
activity, including a CISA-developed tool that helps network administrators
search for indicators of compromise (IOCs) associated with exploitation of
CVE-2019-11510. The alert also provides mitigations for victim organizations
to recover from attacks resulting from CVE-2019-11510. CISA encourages
network administrators to remain aware of the ramifications of exploitation
of CVE-2019-11510 and to apply the detection measures and mitigations
provided in this report to secure networks against these attacks.
CISA has conducted multiple incident response engagements at U.S. Government
and commercial entities where malicious cyber threat actors have exploited
CVE-2019-11510-an arbitrary file reading vulnerability affecting Pulse
Secure VPN appliances-to gain access to victim networks. Although Pulse
Secure released patches for CVE-2019-11510 in April 2019,[2] CISA has
observed incidents where compromised Active Directory credentials were used
months after the victim organization patched their VPN appliance.
Please see the attached US-CERT link
<https://www.us-cert.gov/ncas/
documentation that will provide more in-depth analysis:
* Health-ISAC Threat Bulletin on August 21, 2019
* CISA Activity Alert <https://www.us-cert.gov/ncas/
AA20-107A
* Technical Details
* Cyber Threat Actor Behavior in Victim Network Environments
* IOC Detection Tool
* Mitigations
* and more…
* Indicators of Compromise
* Link for STIX and TAXII – For a downloadable copy of IOCs, see
<https://www.us-cert.gov/sites
TE).stix.xml> STIX file.
Recommendations:
CISA strongly urges organizations that have not yet done so to upgrade their
Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If-after
applying the detection measures in this alert- organizations detect evidence
of CVE-2019-11510 exploitation, CISA recommends changing passwords for all
Active Directory accounts, including administrators and services accounts.
CISA also recommends organizations to:
* Look for unauthorized applications and scheduled tasks in their
environment.
* Remove any remote access programs not approved by the organization.
* Remove any remote access trojans.
* Carefully inspect scheduled tasks for scripts or executables that
may allow an attacker to connect to an environment.
If organizations find evidence of malicious, suspicious, or anomalous
activity or files, they should consider reimaging the workstation or server
and redeploying back into the environment. CISA recommends performing checks
to ensure the infection is gone even if the workstation or host has been
reimaged.
Health-ISAC recommends members maintain an offsite backup of critical data
to protect against loss of integrity or availability of data in the event of
a breach due to one the CVEs above being exploited. Please review the Health
Industry Cybersecurity Practices (HICP): Managing Threats and Protecting
Patients publication for additional best practices available
<https://healthsectorcouncil.o
y-practices-for-the-health-ind
References:
US-CERT – Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
<https://www.us-cert.gov/
https://www.us-cert.gov/ncas/a
Health-ISAC Threat Bulletin on August 21, 2019
* Link to Document https://h-isac.org/health-isac-threat-bulletin-8-21-19/
Pulse Secure Advisory SA44101
<https://kb.pulsesecure.net/a
https://kb.pulsesecure.net/art
Twitter. @XMPPwocky. (2019, August 23). Your least favorite construct
<https://twitter.com/XMPPwock
https://twitter.com/XMPPwocky/
OpenSecurity Forums. Public vulnerability discussion. (2019, August 23).
<https://opensecurity.global/f
lity-being-exploited-in-wild/?
https://opensecurity.global/fo
ity-being-exploited-in-wild/?d
GitHub. BishopFox / pwn-pulse.
<https://github.com/
https://github.com/BishopFox/p
File disclosure in Pulse Secure SSL VPN (Metasploit)
<https://www.exploit-db.com/e
https://www.exploit-db.com/exp
Twitter. @alyssa_herra
<https://twitter.com/alyssa_h
https://twitter.com/alyssa_her
OpenSecurity Forums. Public vulnerability discussion. (2019, August 23).
<https://opensecurity.global/f
lity-being-exploited-in-wild/?
https://opensecurity.global/fo
ity-being-exploited-in-wild/?d
OpenSecurity Forums. Public vulnerability discussion. (2019, August 31).
<https://opensecurity.global/f
lity-being-exploited-in-wild/?
https://opensecurity.global/fo
ity-being-exploited-in-wild/?t
##############################