The CVE-2019-11510 vulnerability is being used against VPN providers worldwide. The available security reports indicate that a criminal collective is actively seeking to break the security barriers of several providers of VPN services. This is done by exploiting a recent vulnerability which is actively being tracked in the CVE-2019-11510 advisory.
CVE-2019-11510 Vulnerability Used Against VPN Service Providers
The CVE-2019-11510 vulnerability has been found to be used in real-time attacks against VPN providers. It appears that this is a global attack designed to attempt intrusion onto these networks by attempting to expose a weakness in them. The CVE-2019-11510 attack campaign has been tested on Pulse Connect Secure service. The company was able to react timely to the intrusion attempts and released a security announcement giving further details on the flaw. According to the released information this is classified as an “authentication by-pass vulnerability” that can allow non-authenticated users to access files on the service’s gateway. On affected systems this will trigger a remote code execution flaw. All Pulse Connect Secure have been patched in order to defer any possible intrusion attempts.
The problem that was associated with this threat is the ability of the hackers to use publicly available code (posted online as proof-of-concept). This makes it very easy to automate the attacks by the hackers. This is done by arming the exploit code and finding out the public-facing Internet gateways that the target VPN service is using.
Thanks to the thorough security analysis the security researchers have been able to uncover what are the actions that are to be run once the hosts are infiltrated:
- The first step is the initial infection. This is done by succesfully exploiting the host with the CVE-2019-11510 flaw.
- The next step is to download the system account credentials. They are done by taking the relevant file from the server’s file system.
- From there on the infected computers can be infected with other viruses and data stolen.
A similar attack was also found to be used against government agencies, public education institutions, utility industries, financial corporations and etc.