Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Censys. Show all posts

Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet


After CISA published a report in April 2021, cautioning online users regarding the exploitations of Pulse Connect secure vulnerabilities, researchers at cybersecurity firm, Censys, found that 4,460 Pulse Connect Secure hosts out of 30,266 appliances exposed to the internet are void of security patches.

Pulse Connect Secure

Regarded as the most extensively used SSL VPN solution, Pulse Connect Secure offers remote and mobile customers secure access to business resources. Additionally, the Ivanti portfolio added the VPN appliance to its lineup in the year 2020, after acquiring Pulse Secure. 

Pulse Secure appliances are as well a distinguished choice for both cyber criminals and state-backed threat actors. Government agencies, in regard to this, have sent out several advisories in order to warn users of the ongoing exploitation of these products’ unpatched vulnerability. 

Censys Study on Pulse Connect Secure

As per the report published by Censys, six vulnerabilities, including a critical-severity file write vulnerability that may be used to execute arbitrary code with root capabilities, are still unpatched in about 3,500 of the affected appliances. 

“In total, Censys has found 30,266 Pulse Connect Secure hosts running on the internet […] One of the easiest ways to find these running using Censys is to search for a specific URI that can be found in the HTTP response body of a Pulse Connect Secure web service,” reads the post published by Censys. 

In addition to this, Censys found that more than 1,800 of the vulnerable hosts are not yet equipped with patches for three severe security flaws that Pulse Secure resolved in May 2021, despite being warned two weeks back of the flaws (CVE-2021-22893, CVSS score of 10) that were being exploited in the attack. 

Censys also discovered hundreds of Pulse Connect Secure appliances that were still affected by other severe vulnerabilities including CVE-2018-5299 (CVSS score of 9.8), CVE-2018-6320 (CVSS score of 9.8), CVE-2019-11510 (CVSS score of 10), and CVE-2019-11540 (CVSS score of 9.8). 

According to the Censys report’s Breakdown by Country (top 20), with 8,575 hosts, the United States has the largest overall number of Pulse Connect installations, however, just 12% of those hosts lack security fixes. While with 3,000 hosts (700 vulnerable), Japan holds the second position, followed by UK and Germany, both with slightly over 1,700 hosts (155 and 134 vulnerable, respectively).  

Cloud Misconfiguration is Still the Leading Source of Cloud Data Violations

 

Almost everybody by now is workings from home and 84 percent are worried that new security vulnerabilities have been generated with the quick move towards 100 percent remote working. 

Cloud service providers built their administration panels' user interface purposefully to mislead consumers and charge for more services than originally intended. 

Although it was never demonstrated as a systematic business strategy, reports and alerts of a data breach have overwhelmed the internet in recent years since a cloud-based database has indeed been misconfigured and confidential information ultimately leaked. 

Throughout the past month, Censys, a security company that specializes in census-like inspections on the internet, looked closely at the cloud-based services, hoping to uncover what the best potential origin of misconfiguration might be for cloud-based businesses. As per the study, Censys has found over 1.93 million cloud server databases that have been displayed publicly without even any firewall or other authentication measures. The security company arguments that threat actors will discover and target these databases utilizing older vulnerability exploits. In addition, if the database was unintentionally leaked, it could also use a weak or even no password at all, disclosing it to all those who have detected its IP address. 

Censys reported having been used to scan MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle and that nearly 60 percent of all disclosed servers were MySQL databases which represent 1.15 million of the 1.93 million overall exposed DBs. 

The security agency also searched to find ports that could also be exposed by clouds service as they are normally used for remote management applications like SSH, RDP, VNC, SMB, Telnet, Team Viewer, and PC Anywhere. Censys retained that access to all these remote managing port must not be easily discovered but rather secured by Access Control Lists, VPN tunnel, or other traffic filtering solutions, although the underlying cause of these applications is that the systems can be remotely logged into. 

Another very significant discovery was indeed the virtual exposure of the RDP login screens by more than 1.93 million servers. 

Microsoft and several others have also indicated that many violations of security have also been caused by attackers obtaining access to an enterprise through compromised RDP credentials. Which included attacks on a broad range of actors, including DDoS botnets, crypto mining activities, ransomware gangs, and government-funded actors. 

Most organizations do not operate internally with just one cloud services provider infrastructure, but instead use several solutions, many of which might not have the same access or default settings, allowing several systems to become accessible even though IT personnel are not supposed to do so. While some cloud providers have taken measures to improve their dashboards and to clarify how those controls operate, the wording of each cloud provider is still substantially different, and some system administrators are still often confused. 

Censys said, “it expects the issue of misconfigured services to remain a big problem for companies going forward.”