The United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a fresh advisory alerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers even if they have already patched it.

The warning comes three months after another CISA alert urging users and administrators to patch Pulse Secure VPN environments to thwart attacks exploiting the vulnerability.

“Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access and move laterally through that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials,” CISA said.

CISA has also released a tool to help network administrators look for any indicators of compromise associated with the flaw.

A Remote Code Execution Flaw

Tracked as CVE-2019-11510, the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands.

The flaw stems from the fact that directory traversal is hard-coded to be allowed if a path contains “dana/html5/acc,” thus allowing an attacker to send specially crafted URLs to read sensitive files, such as “/etc/passwd” that contains information about each user on the system.

To address this issue, Pulse Secure released an out-of-band patch on April 24, 2019.

While on August 24, 2019, security intelligence firm Bad Packets was able to discover 14,528 unpatched Pulse Secure servers, a subsequent scan as of last month yielded 2,099 vulnerable endpoints, indicating that a vast majority of organizations have patched their VPN gateways.

Unpatched VPN Servers Become Lucrative Target

The fact that there are still over thousands of unpatched Pulse Secure VPN servers has made them a lucrative target for bad actors to distribute malware.

A report from ClearSky found Iranian state-sponsored hackers using CVE-2019-11510, among others, to penetrate and steal information from target IT and telecommunication companies across the world.

According to an NSA advisory from October 2019, the “exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.”

In a similar alert issued last year, the UK’s National Cyber Security Centre (NCSC) warned that advanced threat groups are exploiting the vulnerability to target government, military, academic, business, and healthcare organizations.

More recently, Travelex, the foreign currency exchange and travel insurance firm, became a victim after cybercriminals planted Sodinokibi (REvil) ransomware on the company’s networks via the Pulse Secure vulnerability. Although the ransomware operators demanded a ransom of $6 million (£4.6 million), a Wall Street Journal report last week said it paid $2.3 million in the form of 285 Bitcoin to resolve its problem.

In the face of ongoing attacks, it’s recommended that organizations upgrade their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts.

CISA has also suggested removing any unapproved remote access programs and inspecting scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.