Posted on January 7, 2020 at 4:59 PM
Security experts have warned against the recent activities of cyber attackers fronting the REvil ransomware. This time, the hackers are looking to disable antivirus and infiltrate systems via unpatched Pulse Secure servers.
The security researchers are advising those that operate the Pulse Secure VPN to upgrade and patch up their servers or risk losing their stronghold to the big game ransomware onslaughts. According to the researchers, it’s very easy for the attackers to attack vulnerable VPN servers using the Shodan.io IoT search algorithm.
Last month, researchers discovered the REvil (Sodinokibi) ransomware when it attacked CyrusOne, a U.S. data service provider that’s listed on NASDAQ. The ransomware has also infiltrated several portals of managed service providers as well as more than 400 dentist offices.
A big game ransomware
Kevin Beaumont, a UK security researcher, has categorized REvil as one of the “big game” ransomware that is capable of causing severe havoc to the host system. According to him, attackers have constantly used it to encrypt highly sensitive business systems and asked for huge sums as ransom. Initially, the ransomware took advantage of Oracle WebLogic’s vulnerability to infect systems. The ransomware was discovered last April.
The REvil ransomware is only able to attack the Pulse Secure VPN servers that have not yet applied patch updates. Already, there were warnings from UK’s national securities center, US national security agency, as well as from CISA about the vulnerabilities of these VPNs in October last year.
The security agencies issued warned when some state-sponsored hackers were exploiting the vulnerabilities in both Fortinet and Pulse Secure VPN servers.
Now, cyber attackers have adopted the flaw and are launching an attack on the systems. The vulnerability on the secure VPN server is quite bad because it gives uncontrollable access without validating the credentials of the attackers. The researchers also said that it gives remote attackers access to remotely link to the corporate network, remotely view cached passwords, and view logs. It also allows hackers to disable the server’s multi-factor authentication.
How REvil ransomware got into the systems
Researcher Beaumont pointed out that he has detected two of the ransomware’s incidents last week. According to him, the hackers used the same ransomware strategy to have access to the network. The hacker subsequently seized the domain admin control and used the remote access software to navigate throughout the system.
At this point the REvil ransomware was able to disable the endpoint security tools and it infiltrated all the systems through the PsExec command prompts. The command prompt is usually a hidden command that the system would not be able to act upon, except the ransomware.
Bad Packets, a security company, carried out a security scan on January 4. According to the scan, there were about 3820 Pulse Secure VPN servers that have not yet been upgraded against the security flaw. Out of this number, more than 1,300 of them are vulnerable servers based in the United States.
However, Scott Gordon, Pulse Secure CMO, said that many of Pulse customers have effectively applied the patch it issued in April last year, and are no longer susceptible to attack their systems.
He said some organizations are yet to apply those patches. According to him, these organizations that have not yet upgraded are the most vulnerable to the ransomware attack. Bad Packets reported the vulnerability of the more than 20,000 VPN servers in August last year.
Out of this number, about 5% are still vulnerable. Gordon has asked customers to make sure their systems are updated to prevent any vulnerability the hackers may target with ransomware.
He has urged customers to patch up their systems quickly since the server side patch up does not need them to update the client. He pointed out that the only way organizations can stay off being targets of ransomware is when they make the necessary patch ups to the systems. Gordon advised them to cover the vulnerabilities as soon as possible to keep hackers away.