Security experts have warned against the recent activities of cyber attackers fronting the REvil ransomware. This time, the hackers are looking to disable antivirus and infiltrate systems via unpatched Pulse Secure servers.
The security researchers are advising those that operate the Pulse Secure VPN to upgrade and patch up their servers or risk losing their stronghold to the big game ransomware onslaughts. According to the researchers, it’s very easy for the attackers to attack vulnerable VPN servers using the Shodan.io IoT search algorithm.
Last month, researchers
discovered the REvil (Sodinokibi) ransomware when it attacked
CyrusOne, a U.S. data service provider that’s listed on NASDAQ. The ransomware
has also infiltrated several portals of managed service providers as well as
more than 400 dentist offices.
Kevin Beaumont, a UK security researcher, has categorized REvil as one of the “big game” ransomware that is capable of causing severe havoc to the host system. According to him, attackers have constantly used it to encrypt highly sensitive business systems and asked for huge sums as ransom . Initially, the ransomware took advantage of Oracle WebLogic’s vulnerability to infect systems. The ransomware was discovered last April.
The REvil ransomware is only able to
attack the Pulse Secure VPN servers that have not yet applied patch updates.
Already, there were warnings from UK’s national securities center, US national security
agency, as well as from CISA about the vulnerabilities of these VPNs in October
last year.
The security agencies issued warned when
some state-sponsored hackers were exploiting the vulnerabilities in both
Fortinet and Pulse Secure VPN servers.
Now, cyber attackers have adopted the flaw and are launching an attack on the systems. The vulnerability on the secure VPN server is quite bad because it gives uncontrollable access without validating the credentials of the attackers. The researchers also said that it gives remote attackers access to remotely link to the corporate network, remotely view cached passwords, and view logs. It also allows hackers to disable the server’s multi-factor authentication.
Researcher
Beaumont pointed out that he has detected
two of the
ransomware’s incidents last week. According to him, the hackers used the same
ransomware strategy to have access to the network. The hacker subsequently
seized the domain admin control and used the remote access software to navigate
throughout the system.
At this point the REvil ransomware was
able to disable the endpoint security tools and it infiltrated all the systems
through the PsExec command prompts. The command prompt is usually a hidden
command that the system would not be able to act upon, except the ransomware.
Bad
Packets, a security company, carried out a security scan on January 4.
According to the scan, there were about 3820 Pulse Secure VPN servers that have
not yet been upgraded against the security flaw. Out of this number, more than
1,300 of them are vulnerable servers based in the United States.
However,
Scott Gordon, Pulse Secure CMO, said that many of Pulse customers have
effectively applied the patch
it issued in April last year , and are no longer susceptible to attack
their systems.
He
said some organizations are yet to apply those patches. According to him, these
organizations that have not yet upgraded are the most vulnerable to the
ransomware attack. Bad Packets reported the vulnerability of the more than
20,000 VPN servers in August last year.
Out of this number, about 5% are still vulnerable. Gordon has asked customers to make sure their systems are updated to prevent any vulnerability the hackers may target with ransomware .
He has urged customers to patch up their systems quickly since the server side patch up does not need them to update the client. He pointed out that the only way organizations can stay off being targets of ransomware is when they make the necessary patch ups to the systems. Gordon advised them to cover the vulnerabilities as soon as possible to keep hackers away.
cc purchase website unicc tor domain