Clothing retailer Monsoon Accessorize has been using VPN servers that have critical vulnerabilities, putting it at risk of hacking or ransomware attack, according to an analysis by VPNpro.
The researchers discovered that Monsoon has been utilizing unpatched Pulse Connect Secure VPN servers, known to contain vulnerabilities that enable cyber-criminals to see active users on the company’s VPN as well as their plaintext passwords.
This information can then be used to access the servers and attack the companies in various ways.
The biggest threat to organizations which have this vulnerability is having their servers locked down with ransomware, according to VPNpro. It is a similar vulnerability to the one that enabled the attack on global currency exchange business Travelex on New Year’s Eve, which forced the company to take its systems offline as a precautionary measure.
VPNpro said that “our researchers were able to gain access to Monsoon’s internal files, including customer information, sensitive business documents, sales and revenue numbers, and much more.”
Among the data accessed included a sample file containing 10,000 customer records including names, email addresses, phone numbers and mailing and billing addresses.
The cybersecurity firm added it has contacted Monsoon “multiple times” to inform it of the vulnerability, but have received no response as of yet and the vulnerability remains.
VPNpro recommends that Monsoon customers should monitor their data to make sure their personal information has not been leaked.
Hugo van der Toorn, manager offensive security at Outpost24, told Infosecurity: “This showcases the importance of truly understanding your network perimeter and your vulnerabilities therein. It is pivotal that organizations try to minimize their exposure to the internet and to understand and secure that what is exposed. As proven in this research, scanning the entire internet for specific vulnerabilities can be done with relative ease and happens every time a new critical vulnerability becomes known to the public. Scan everything and see where an attacker can get in, this works both defensively and offensively.
“The safest thing is to not expose anything directly to the internet, unless it is needed for performing daily business. A good example is a VPN; those are meant to allow employees to connect back to the office network and access internal resources. It is important for every device/service that is exposed to the internet to have clear visibility of this system: What software is in use, what components, which versions of those, what ports are open and on what hardware is it running.”
Javvad Malik, security awareness advocate at KnowBe4 added: "Attackers will try to leverage any way they can into organisations. In recent times, we've seen criminals try to compromise security software as part of their attack strategy. Because security tools are usually the first point of contact, they run higher privilege and have access to lots of data, they become a very rewarding target. It's why organisations should take care of their security tools, ensure they are patched, and follow the vendors recommended guidance for any known issues, or settings that could be leveraged by criminals to gain access."