By Dave Buckley
On 16th of April 2020 the CISA released an alert covering continued exploitation of pulse secure VPN’s post patching. This is an update to the original alert the CISA published back in January 2020 which advised organisations to immediately patch CVE-2019-11510. Pulse secure released patches for this vulnerability in April 2019 (SA44101).
CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access and move laterally through that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.
The alert also provides new detection methods for this activity and a tool that helps network administrators search for indicators of a compromise.
CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If, after applying the detection measures in this alert, organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.
CISA also recommends organizations to:
- Look for unauthorized applications and scheduled tasks in their environment.
- Remove any remote access programs not approved by the organization.
- Remove any remote access trojans.
- Carefully inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.
If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged.