CISA Alert: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published an Alert that updates a previous alert, Continued Exploitation of Pulse Secure VPN Vulnerability (published on January 10), which advised organizations to immediately patch CVE-2019-11510 – an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances. CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access – and move laterally through – that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials. The Alert provides new detection methods for this activity, including a CISA-developed tool that helps network administrators search for indicators of compromise (IOCs). The Alert also provides mitigations for victim organizations to recover from attacks. CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks. Read the Alert at CISA.