Hacked Law Firm May Have Had Unpatched Pulse Secure VPNREvil Gang Still Threating to Release More Data
A recent ransomware attack that targeted a law firm that serves celebrities may have been facilitated by a Pulse Secure VPN server that was not properly patched and mitigated against a well-known vulnerability, some security experts say.
The New York law firm of Grubman Shire Meiselas and Sacks, which represents many celebrities, including Lady Gaga, Madonna, Mariah Carey, U2, Bruce Springsteen and Mary J. Blige, is being extorted by the operators of the REvil ransomware variant who are asking for $42 million in ransom under the threat of releasing more documents it stole related to the firm's roster of clients (see: Ransomware Gang Demands $42 Million From Celebrity Law Firm ).
Late last week, the REvil gang, also known as known Sodin and Sodinokibi, released over 2 GB of legal documents and other information concerning the law firm's work for Lady Gaga, and now it’s threatening to release more data, according to a post on the gang's darknet web portal.
The REvil gang also claims to have data from the law firm related to President Donald Trump, although he's never been a client of Grubman Shire Meiselas and Sacks either as a real estate developer or president. The FBI is now investigating the incident, according to Bleeping Computer and other published reports.
Over the last several months, security experts have warned that cybercriminals, as well as some nation-state actors, have been using vulnerable servers as a launching point for attacks - even if the servers have been patched.
Earlier this week, Troy Mursch of the Chicago-based threat intelligence firm Bad Packets reported that a domain associated with the Grubman Shire Meiselas and Sacks firm was using an unpatched Pulse Secure VPN server between at least August and October 2019. Mursch has been using his company's honeypots and scanning technology to check for unpatched Pulse Secure VPN SSL servers that are vulnerable to a bug tracked as CVE-2019-11510. If this flaw is exploited, attackers could use it to infect vulnerable VPN servers, which would then allow them to gain access to other parts of a targeted network, steal credentials, plant malware and execute arbitrary commands.
Pulse Secure has been warning its users since at least April 2019 to patch these vulnerabilities, although many organizations have been slow to do so. In August 2019, security researchers started sounding the alarm about these servers, and Bad Packets did it first round of scanning (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).
The period between August and October 2019 was particularly critical because that’s when threat actors were actively scanning for unpatched Pulse VPN SSL servers, Mursch says.
"Bad Packets CTI vulnerability data shows Grubman Shire Meiselas & Sacks had a vulnerable Pulse Secure VPN server up until at least October 21, 2019," Mursch tells Information Security Media Group. "This was during a period of time that threat actors were opportunistically mass scanning the internet for vulnerable Pulse Secure VPN servers."
When Bad Packets did its most recent scans in March for these unpatched severs, the law firm's server didn't show up. But many organizations have not properly remediated the vulnerability, leaving them open to attack, which has prompted fresh warnings from the U.S. Cybersecurity and Infrastructure Security Agency in April.
"The key factor here is determining if they took the proper remediation procedures of changing/invalidating any user credentials and/or private keys that were stored on their Pulse Secure VPN server," Mursch says. "If they didn't, threat actors could simply reuse the stolen credentials/keys for future attacks."
A spokesperson for Grubman Shire Meiselas and Sacks recently told Rolling Stone that the company had invested in "state-of-the-art technology security."
The Risks Involved
Mursch says that while his firm can scan open internet ports for vulnerable Pulse Secure VPN servers, he doesn't have insight into the law firm's internal network and can't say for sure whether the REvil operators used it to plant ransomware and encrypt files.
Some security experts, including Kevin Beaumont, who is now with Microsoft, have previously warned that the REvil ransomware gang is known to target unpatched Pulse Secure VPN servers. When the gang attacked the London-based foreign currency exchange firm Travelex on New Year's Day, it was reported that the company used a Pulse Secure VPN server that was patched (see: Travelex Paid $2.3 Million to Ransomware Gang: Report).
Brett Callow, a threat analyst with security firm Emsisoft, also notes that REvil is known to use vulnerable Pulse Secure VPN servers to gain a foothold in a network and wait for some time before starting a ransomware attack against a target.
"In other incidents, it's been established that groups have had access for months prior to finally deploying the ransomware," Callow tells ISMG.
Other ransomware gangs, such as the operators of the LockerGoga and MegaCortex, are also known to linger in networks for months after the initial intrusion before starting an attack, according to the FBI (see: Ransomware Attackers May Lurk for Months, FBI Warns).
No Intention to Pay Ransom
The ransomware attack against Grubman Shire Meiselas and Sacks was first reported earlier this month, and the law firm confirmed the incident to entertainment news site Variety on May 11.
It's not clear if the gang and the law firm engaged in any negotiations, but REvil began upping its ransom demands from $21 million to $42 million over the last week, with the added threat of releasing additional data about Trump. Bleeping Computer and Forbes both reported that some of the already leaked information related to Trump only references the president in passing.
Representatives for Grubman Shire Meiselas and Sacks told the New York Post that the company is working with the FBI and it doesn't intend to pay ransom to cybercriminals.
Callow of Emsisoft says the REvil gang appears to be planning to potentially auction off other data from the law firm in the coming weeks. "REvil has stated the information relating to Madonna is to be auctioned," Callow says. "The group initially specified the site where this was to occur, but has since edited the post to remove that."