Pulse Secure VPN servers are being targeted by cybercriminals who use the REvil (Sodinokibi) ransomware to extort large organizations.

According to ZDNet, UK security researcher Kevin Beaumont is urging organizations that use Pulse Secure VPN to patch now or face huge ransomware attacks by criminals who can easily use the Shodan.io IoT search engine to identify vulnerable VPN servers. The REvil (Sodinokibi) ransomware was used in an attack last month on NASDAQ-listed US data-center provider CyrusOne and against several managed service providers (MSP), 20 Texas local governments, and over 400 dentist offices, says ZDNet.  

Beaumont puts REvil in the 'big game' category because criminals have employed it to encrypt critical business systems and demand huge sums of money, says ZDNet. The ransomware strain, discovered in April, initially used a vulnerability in Oracle WebLogic to infect systems. In an article, Beaumont notes that the Pulse Secure VPN vulnerability is incredibly bad, as it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords). 

In addition, Beaumont notes that the Pulse Secure VPN servers haven't been applied with patches flagged in warnings from the US CISA, US National Security Agency and the UK's National Cybersecurity Centre in October. 

Jared Greenhill, Director, Crypsis Group, says, “Recently, we have seen the Sodinokibi (REvil) ransomware variant become increasingly prevalent in Pulse Secure VPN vulnerability cases. But it’s not only the frequency of cases that is at issue, the techniques and methods used across the range of ransomware criminal actors provide profound challenges of their own—they are using more sophisticated vectors to deliver it (such as defeating MFA protections) and are going to great lengths to ensure they are paid. This includes examples such as disabling backup systems, being unwilling to negotiate ransoms when they assume the company is able to pay the asking rate, and, in some cases, threatening to publish data if not paid in full. While applying security best practices is highly recommended, threat actors are getting more sophisticated in working around protections and tools, making the fight against ransomware continually more difficult for organizations.”

Similarly, Sounil Yu, a member of the Board Of Advisors at Strategic Cyber Ventures, says, “Suppose a home inspector came to your house and told you that your house is vulnerable to a Category 1 hurricane. If you lived in Florida, you’re in trouble and you better start fixing your house right now before June when the hurricane season will be in full swing. Fixing the house will require lots of renovation and downtime. If you lived in Alaska, you’d shrug and ignore the vulnerability report because the expected loss is not worth the downtime and renovation costs. If weather patterns change and tornadoes became sufficiently frequent in Alaska, your risk management calculus may change and you may choose to take the downtime hit."

"There are those running PulseVPN who know they live in Florida and took action immediately," says Yu. "There are those that live in Alaska and ignored the warning. There are those that will realize that weather patterns have changed (via news/threat intelligence of increased attacks) and will take action now. Then there are those that think they live on an island near Alaska but due to continental drift, now live near Florida and don’t realize it. There are also those that aren’t aware of the changing weather patterns and will be in for a nasty surprise when they find their house flattened."

"The goal for mature organizations is to know where they are (via inventories), understand what’s important (Crown Jewels), and adjust as appropriate to the prevailing threat conditions so that their assets are safe,” warns Yu.