Kaspersky Lab analysts reported a series of attacks on financial and telecommunications companies in Eastern Europe and Central Asia. Criminals used the vulnerability of corporate VPN services to steal credentials to access financial information. According to researchers, the attackers tried to withdraw from the accounts of several tens of millions of dollars.
The vulnerability CVE-2019-11510 , which was exploited by cybercriminals, is contained in the Pulse Connect Secure and Pulse Policy Secure solutions. They are used in hybrid IT infrastructures to control access to corporate resources.
Security issues in these products became known back in April. The developers talked about a series of errors that allowed criminals access to private data, allowed them to increase their privileges and execute third-party code in the attacked systems.
In August, experts warned that criminals began to probe the Internet in search of vulnerable Pulse Connect Secure hosts. According to researchers, the circle of possible victims at that time included more than 2.5 thousand large corporations, companies from the housing and communal services sector, state organizations, hospitals and universities. At the same time, the total number of VPN servers at risk reached 14.5 thousand.
By the end of December, the number of unpatched systems dropped to 3.9 thousand. Most of them remain in the USA (1.3 thousand), followed by Japan (409), Great Britain (228), South Korea (206) and France (186). Russia is at the end of the ranking – researchers counted only 12 vulnerable hosts here.
According to Kaspersky, Russian-speaking cybercriminals may be behind recently discovered incidents. The researchers made this conclusion after studying the techniques and tactics with which attacks were made. As specified by Kaspersky Lab’s leading antivirus expert, Sergey Golovanov, in the fall, company experts investigated several such incidents at once.
“Given the availability of the exploit, such attacks can become more widespread,” the expert noted. “Therefore, we strongly recommend that companies install the latest version of the VPN solution used, do not forget about security solutions and follow the news about the current landscape of cyber threats.”
Previously reported vulnerabilities in Cisco VPN equipment. The threat of executing third-party code was found in the Internet console, which is used to configure some models of VPN routers and a VPN firewall.