Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2019-11510: Critical Pulse Connect Secure Vulnerability Used in Sodinokibi Ransomware Attacks

Recent rash of ransomware attacks are leveraging an eight-month-old flaw in a popular SSL VPN solution used by large organizations and governments around the world.

Background

On January 4, security researcher Kevin Beaumont (@GossiTheDog) observed two "notable incidents" in which a vulnerability in a Secure Socket Layer (SSL) Virtual Private Network (VPN) solution was used to breach two organizations and install targeted ransomware.

In his blog, Beaumont says this vulnerability was used to gain access to the vulnerable networks, followed by a similar pattern: obtaining domain administrator access, installing Virtual Network Computing (VNC) using PsExec for lateral movement, disabling endpoint security tools and installing the Sodinokibi ransomware, also known as Sodin or REvil.

Scott Gordon, Chief Marketing Officer for Pulse Secure, issued the following statement regarding Beaumont’s blog:

“Threat actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products -- and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”

Analysis

Pulse Secure Vulnerability

CVE-2019-11510 is a critical arbitrary file disclosure vulnerability in Pulse Connect Secure, the SSL VPN solution from Pulse Secure. Exploitation of the vulnerability is simple, which is why it received a 10.0 rating using the Common Vulnerability Scoring System (CVSS). The flaw could allow a remote, unauthenticated attacker to obtain usernames and plaintext passwords from vulnerable endpoints.

While Pulse Secure issued an out-of-cycle patch for the vulnerability in April 2019, it garnered more attention after a proof of concept (PoC) for the flaw was made public in August 2019. Shortly after the PoC was released, reports began to surface that attackers were probing for vulnerable endpoints and attempting to exploit the flaw.

At the time, Troy Mursch, Chief Research Officer at Bad Packets, identified over 14,500 Pulse Secure VPN endpoints that were vulnerable to this flaw. Mursch has been working to notify affected organizations to patch the flaw while also publishing weekly reports on Twitter of scan results for vulnerable endpoints. According to the most recent scan result from January 3, 2020, Mursch detected 3,825 endpoints that remain vulnerable, with over 1,300 of those endpoints residing in the United States.

Vulnerable Pulse Secure VPN Servers by Country

Sodinokibi (REvil) Ransomware

Sodinokibi (or REvil) first appeared in April 2019 as part of attacks utilizing a zero-day exploit for an unauthenticated remote code execution vulnerability in Oracle WebLogic identified as CVE-2019-2725. Additional research in July 2019 found that Sodinokibi also exploits CVE-2018-8453, an elevation of privilege flaw in Win32k, which the researchers called “rare among ransomware.”

Sodinokibi has been linked to the creators of the GandCrab ransomware, which shuttered its operations in May 2019 after earning a reported $2 billion in ransom payments.

Big Game Hunting Ransomware

The use of the term “Big Game Hunting” references a Crowdstrike blog from 2018 regarding the electronic crime group dubbed INDRIK SPIDER pivoting from banking trojans to targeted ransomware attacks using the BitPaymer ransomware. The “big game” component refers to threat actors shifting to “targeted, low-volume, high return” activity.

In the case of Sodinokibi, it appears this tactic has been fruitful. Security researcher Rik Van Duijn identified at least seven cases of Sodinokibi ransomware infections in the first six days of 2020 demanding over $10 million based on analyzed malware samples, underscoring just how much potential value there is in these big game hunting ransomware attacks.

While Sodinokibi has been linked to various vulnerabilities mentioned above, it is important to note that ransomware in general spreads through a variety of methods, including unpatched software vulnerabilities, malicious emails and exposed remote desktop systems.

Proof of concept

The first PoC published for CVE-2019-11510 was released on August 20 to Exploit Database by security researchers Alyssa Herrera and Justin Wagner. There are also multiple PoCs to identify and/or exploit CVE-2019-11510 published to GitHub repositories.

Solution

As previously noted, Pulse Secure released patches for CVE-2019-11510 back in April 2019. If your organization utilizes Pulse Connect Secure in your environment, it is paramount that you patch as soon as possible. Additionally, because Sodinokibi uses CVE-2018-8453, it is also extremely important to ensure the appropriate security updates from Microsoft’s October 2018 Patch Tuesday have been applied.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here, which includes a direct exploit check, identified as Plugin ID 127897.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training