Just days ago, a list of plaintext usernames, passwords and IP addresses for more than 900 Pulse Secure VPN servers was published online along with SSH keys for each server, a list of all local users and their password hashes, admin account details, last VPN logins and VPN session cookies.
So how did attackers get their hands on the information?
The leaked list also highlighted each VPN server’s firmware version and as it turns out, all listed servers were running an older version that is susceptible to CVE-2019-11510 – an arbitrary file reading vulnerability.
Researchers believe that the attackers responsible for this leak scanned for all IPv4 internet addresses and then exploited the vulnerability to gain access to each company’s sensitive systems and server details. Based on timestamps, the information was collected between June 24 and July 8, 2020.
At the time of the scan, 617 out of the 913 unique IP addresses published were still vulnerable to CVE-2019-11510, despite the vulnerability having been made public in August 2019 and customers urged to immediately apply the patch and change their passwords.
It’s Time to Re-examine Remote Access
VPN server usage has skyrocketed with the rise in remote work — one study points to a 124% increase in March 2020 alone. More than ever, employees and third parties alike rely on VPNs to access corporate networks from remote locations and, in some cases, gain privileged access to critical business systems and applications to do their jobs. However, VPNs provide network access and aren’t designed to provide privileged access to critical internal systems.
The increased reliance on VPNs has grabbed the attention of attackers as they look to take advantage of the dynamic environment the global pandemic has caused – and many have been successful.
By exploiting vulnerabilities in VPN servers and gaining access to sensitive systems, these threat actors can deploy ransomware, encrypt entire networks and demand huge payments. Today in the United States, the average ransomware demand is $84,000 and incidents typically result in 16 days of downtime — at a conservative estimate of $10,000 per day.
While VPNs have traditionally served an important role, this high-profile leak and other recent breaches underscore the need for organizations to reexamine how they provide remote access to the most sensitive aspects of their corporate network.
When exploring ways to connect remote employees and vendors, it’s important to strike the right balance between security and usability. Doron Naim, cyber research group manager at CyberArk Labs notes that advances in Zero Trust access, which provides granular access to a specific critical system instead of the whole network; biometric multi-factor authentication (MFA) and just-in-time provisioning are making it possible for organizations to achieve this balance without costly tradeoffs. Such approaches, combined with privileged session isolation and management, could eliminate the need for a VPN altogether in some cases, and with it, the associated operational burden on IT admin teams.
The traditional perimeter is gone. As many employees continue to work remotely and organizations rely heavily on outsourced operations, the time is now to find innovative ways to grant secure privileged access to remote users without disrupting operations. To learn how CyberArk is tackling this challenge with privileged access management (PAM), visit here.