Tue. Nov 24th, 2020

REvil Ransomware Is Being Delivered To Organizations Via Pulse Secure VPN

An unpatched vulnerability in Pulse Secure’s Zero Trust VPN is being exploited to install REvil (Sodinokibi) ransomware.


In April of last year, Pulse Secure issued a patch for the vulnerability. Unfortunately, many organizations did not apply the patch. Now, security researcher, Kevin Beaumont, is warning organizations to fix the vulnerability, immediately.


According to Beaumont, the vulnerability is so bad that “it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords).”


Additionally, Beaumont said he saw two notable incidents where Pulse Secure is believed to be the cause of the breach. And in both incidents, the organizations had unpatched Pulse Secure systems.


Earlier this week, we reported that Travelex was being held for ransom by the Sodinokibi group, Beaumont said Travelex had 7 unpatched Pulse Secure servers.


Even worse, Beaumont scanned Pulse Secure servers on Jan. 3 and found 3,826 servers remain vulnerable to attack.


Moral of the story: update your Pulse Secure server!