Retailer Monsoon allegedly exposing data via Pulse Connect server

An unpatched version of Pulse Connect Secure VPN is putting the data of thousands of customers and staff at retailer Monsoon Accessorize at risk of compromise, and the firm is allegedly ignoring attempts to disclose it responsibly.

This is according to researcher Jan Youngren of VPNPro, who found the retailer was using an old version of Pulse Connect Secure VPN that has a critical vulnerability potentially enabling cyber criminals to see any active users on its VPN, as well as their plain text passwords.

This information could in theory be used to gain access to servers to exfiltrate the victim’s data, deploy malware or ransomware, or perform any number of other malicious actions.

The CVE-2019-11510 vulnerability was first disclosed back in April 2019 and is the same issue by which Travelex was compromised by the ReVIL/Sodinokibi ransomware crime syndicate in January 2020. It is rated as critical, but fixes have been available from Pulse Secure for over 12 months.

Youngren said he was able to gain access to Monsoon’s internal files, including customer information, sensitive business documents, sales and revenue numbers and more.

His team exploited the vulnerability to extract session data using a specifically crafted URL in the VPN’s client panel, without authentication. They then ran a script to import the session data and attempted to access the VPN portal with the given session IDs.

By monitoring these to find active sessions, they were then able to import the ID as a browser cookie and access the panel as that specific user. They then scraped information to confirm the files are readable, that they had write access, and to understand the vulnerability’s scope.

Youngren noted that the limitation of the vulnerability is that it needs elevated user permissions to execute a wider attack.

The data found included a list of employee usernames and hashed passwords, encrypted admin details, VPN login details and session cookies, daily sales data, minutes of internal meetings, business intelligence assets and other internal documents, the names and other details of 45,000 Monsoon customers, and data on about 650,000 reward card and voucher numbers.

“The biggest risk with having this vulnerability is that hackers can lock down the servers with ransomware, similar to what happened with Travelex,” wrote Youngren.

“In that scenario, any operations connected to or dependent on information contained in these servers would halt until the situation was resolved. This could be very expensive for Monsoon, depending on the price the hackers charge, or they may employ alternatives that in any case would take days or weeks to fix.”

Bad actors could also steal and sell on the business and customer data, take advantage of the voucher codes and reward cards, brute force passwords for remote desktop protocol (RDP) servers and access sensitive servers, and attack Monsoon’s online shops to install credit card skimmers.

Concerningly, Youngren alleged that Monsoon had either ignored or rebuffed VPNPro’s attempts to contact it to disclose responsibly.

“Beginning on 28 May, we attempted to first contact Monsoon via email, including two follow-up emails. Then, we attempted to reach them on their company Twitter beginning 29 May, but received no response.

“After that, we attempted to call them using two phone numbers listed on their websites, but to no avail. Finally, we contacted the UK’s National Cyber Security Centre (NCSC) on 3 June, which handles cyber security issues and can help get ethical hackers in contact with vendors. However, we received no response from them either.

“At the time of publication, the vulnerability remains and we have received no response from their side.”

The retailer’s customers can do little more than monitor their data and be alert to any suspicious-looking emails or contact attempts.

Computer Weekly reached out to Monsoon to seek confirmation of Youngren’s findings and clarification on the company’s response, but the firm’s press contacts had not responded to our approaches at the time of publication. We also contacted the NCSC but the organisation declined to respond to specific questions about the incident.

Monsoon went into administration in June 2020 as a result of being forced to shutter its estate during lockdown, but was bought back by its founder Peter Simon in what is known as a pre-pack deal. A number of stores remain at risk of closure and more than 500 staff are at risk of redundancy, while the retailer’s creditors are owed more than £132m.

Update, 12 August 2020: 

After VPNpro's initial research blog was published, Monsoon fixed the issue, and VPNpro's security team has now confirmed that the servers are no longer vulnerable. The retailer has still not responded to requests for comment.