Back in April a company called Pulse Secure issued a patch and a dire warning to upgrade the corporate VPN software the produced or all the bad things. Well, all the bad things.
What happens when a VPN provider gets compromised? [shakes stick at cloud] anything! As many now-ransomwared companies are finding out.
Now, what makes this different than say the VPN company we found out about a year plus later who’s still conducting forensic analytics on an intrusion and will be forever as they claim they don’t keep logs, is that the software was in the hands of a bunch of IT departments who were given notices again and again to upgrade.
The compromised VPN software was used in multiple ways and for multiple companies, but the latest victim we’re hearing about was Travelex, who got ransomwared to death.
While there are probably always going to be bugs that need patched, leaving 8-month old corporate VPN software where there have been multiple warnings and upgrades available is just… meh.
So yeah, update your security software. The people running the VPN in this case were the corporations it was sold to, and evidently they had no business being in the security game.[ARS Technica]