Pulse Secure VPN Servers Targeted by REvil (Sodinokibi) Ransomware

January 7, 2020

Pulse Secure VPN servers are being targeted by cybercriminals who use the REvil (Sodinokibi) ransomware to extort large organizations.

According to ZDNet, UK security researcher Kevin Beaumont is urging organizations that use Pulse Secure VPN to patch now or face huge ransomware attacks by criminals who can easily use the Shodan.io IoT search engine to identify vulnerable VPN servers. The REvil (Sodinokibi) ransomware was used in an attack last month on NASDAQ-listed US data-center provider CyrusOne and against several managed service providers (MSP), 20 Texas local governments, and over 400 dentist offices, says ZDNet.

Beaumont puts REvil in the 'big game' category because criminals have employed it to encrypt critical business systems and demand huge sums of money, says ZDNet. The ransomware strain, discovered in April, initially used a vulnerability in Oracle WebLogic to infect systems. In an article, Beaumont notes that the Pulse Secure VPN vulnerability is incredibly bad, as it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords).

In addition, Beaumont notes that the Pulse Secure VPN servers haven't been applied with patches flagged in warnings from the US CISA, US National Security Agency and the UK's National Cybersecurity Centre in October.

Jared Greenhill, Director, Crypsis Group, says, “Recently, we have seen the Sodinokibi (REvil) ransomware variant become increasingly prevalent in Pulse Secure VPN vulnerability cases. But it’s not only the frequency of cases that is at issue, the techniques and methods used across the range of ransomware criminal actors provide profound challenges of their own—they are using more sophisticated vectors to deliver it (such as defeating MFA protections) and are going to great lengths to ensure they are paid. This includes examples such as disabling backup systems, being unwilling to negotiate ransoms when they assume the company is able to pay the asking rate, and, in some cases, threatening to publish data if not paid in full. While applying security best practices is highly recommended, threat actors are getting more sophisticated in working around protections and tools, making the fight against ransomware continually more difficult for organizations.”

Similarly, Sounil Yu, a member of the Board Of Advisors at Strategic Cyber Ventures, says, “Suppose a home inspector came to your house and told you that your house is vulnerable to a Category 1 hurricane. If you lived in Florida, you’re in trouble and you better start fixing your house right now before June when the hurricane season will be in full swing. Fixing the house will require lots of renovation and downtime. If you lived in Alaska, you’d shrug and ignore the vulnerability report because the expected loss is not worth the downtime and renovation costs. If weather patterns change and tornadoes became sufficiently frequent in Alaska, your risk management calculus may change and you may choose to take the downtime hit."

"There are those running PulseVPN who know they live in Florida and took action immediately," says Yu. "There are those that live in Alaska and ignored the warning. There are those that will realize that weather patterns have changed (via news/threat intelligence of increased attacks) and will take action now. Then there are those that think they live on an island near Alaska but due to continental drift, now live near Florida and don’t realize it. There are also those that aren’t aware of the changing weather patterns and will be in for a nasty surprise when they find their house flattened."

"The goal for mature organizations is to know where they are (via inventories), understand what’s important (Crown Jewels), and adjust as appropriate to the prevailing threat conditions so that their assets are safe,” warns Yu.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Pulse Secure VPN Servers Targeted by REvil (Sodinokibi) Ransomware

Related Articles

Related Products

Report Abusive Comment