UK retail giant Monsoon has critical vulnerability giving unauthorized access to internal company servers

New research from VPNpro shows that Monsoon Accessorize uses the old Pulse Connect Secure VPN version that has a known vulnerability and allows hackers to steal or ransom sensitive internal company files, customer data, and much more

Update (August 11): Monsoon reached out to as after our research was published. Since then, they were able to fix the issue, and we can confirm that the servers are no longer vulnerable.

Our new research shows that Monsoon Accessorize – the company behind some of the biggest clothing brands in the UK – has been using unpatched Pulse Connect Secure VPN servers that have critical vulnerabilities. The Pulse Connect Secure vulnerability (CVE-2019-11510, rated as “critical”), which dates back to April 2019, can allow hackers to see any active users on the company VPN, as well as their plaintext passwords. They can then use this information to get into those servers for malicious purposes and could harm both the company and its clients. The threat is serious: even the US Department of Homeland Security has issued a warning urging businesses to upgrade their VPNs. 

A New Year’s Eve attack on the currency exchange provider Travelex is an example of what this vulnerability can do. A hacker accessed the company’s VPN servers which allowed them “to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools.”

By using this vulnerability, our researchers were able to gain access to Monsoon’s internal files, including customer information, sensitive business documents, sales and revenue numbers, and much more.

On their company page, Monsoon claims to have “more than 620 stores across the globe” and “trade in 42 countries, across 4 continents.” According to data from Statista, Monsoon Accessorize had a peak annual revenue of £631 million in 2008 (falling to £296 million in 2018). The scale of the company’s operations means the vulnerability could have a wide-ranging impact.

We attempted to contact Monsoon multiple times via multiple channels from May 28 until June 10. At the time of writing this article, we have still received no reply and the vulnerability remains.

Methodology

In order to undertake this research, we scanned the internet for VPN server vulnerabilities. We noticed that monsoon.co.uk’s private Pulse Connect Secure VPN server was vulnerable to CVE-2019-11510.

This vulnerability allowed us to extract session data using a specifically crafted URL in the VPN’s client panel without any authentication. We ran a script that imported that session data and tried to access the VPN portal with the given session IDs. If we were redirected back to the login screen, the session wasn’t active. We constantly monitored session IDs to find active sessions. 

Once an active session was captured, we imported the ID as a browser cookie and accessed the panel as a specific user. We gathered information to confirm that the files were readable, that we had write access, and to understand the scope of the vulnerability. 

The limitations of this vulnerability, as we discovered, is that it requires elevated user permissions to execute an attack against all employees.

What data we found

There are two types of data we found: data before confirming the vulnerability, and data once we were able to test and verify the credentials we found.

Data before confirmation

• A list of employees’ usernames, unique IDs and MD5 crypt hashed passwords
• Encrypted administrator details 
• Observed VPN logins, which include the login date, time and device, along with the usernames and plaintext passwords
• VPN session cookies, both active and inactive

Data inside Monsoon’s internal servers

• Daily sales data
• Meeting minutes
• Business intelligence data
• Other internal documents
• 45,000 customer names, emails, countries and what appears to be store codes
• Roughly 650,000 reward card and voucher numbers, many still active until 2021, with initial and remaining balances. According to Monsoon’s FAQ page, customers can redeem these voucher codes online as long as they’ve linked their Reward Card to their account
• A sample file containing 10,000 customer records, including names, email addresses, phone numbers and mailing and billing addresses

How we accessed this data

We used a third-party app to scan for networks that contain certain VPN vulnerabilities, including the 2019 Pulse Connect Secure vulnerability identified as CVE-2019-11510. This led us to monsoon.co.uk’s VPN server. With the process listed in our Methodology, we were able to get sensitive data containing the VPN users’ login details, as well as session cookies.

Example of usernames and plaintext passwords

Example of VPN session cookies

Once we had this information, we went ahead with our testing to confirm whether this data was actionable, or insignificant.

When we went to Monsoon Accessorize’s VPN portal, we discovered that they had enabled two-factor authentication for their logins. 

While this would normally be a block, we were able to bypass this because of the VPN session cookies. Using the session cookies marked **ACTIVE**, we were able to convince the system that we had already logged in.

This allowed us to access Monsoon’s internal VPN server. When we tested a few cookies, we noticed that Monsoon had set up different access permissions for different users. 

User 1:

User 2:

However, while they had the forethought for that best practice, they had unfortunately failed to update their Pulse Secure VPN service to patch the vulnerability.

We were also able to upload files to the internal server, which was a simple text file containing the following message:

Your Pulse Secure VPN server is vulnerable (CVE-2019-11510). Please fix it as soon as possible.

Contact our security team at ***********@vpnpro.com for more information and guidance.

Sincerely, 
VPNpro

For all tested HTML5 Access Sessions, we were unable to log in:

In this second session cookie, we were able to access the company’s internal files. Monsoon’s internal servers contain hundreds of folders with likely tens of thousands of files:

Monsoon’s Business Intelligence folder:

Customer voucher card information:

This includes customer data, such as names, email addresses, shipping addresses, card numbers and more. While we were certain that there was a lot more sensitive data contained in these servers, we had enough information to confirm the scope of the vulnerability.

What’s the possible damage?

The biggest risk with having this vulnerability is that hackers can lock down the servers with ransomware, similar to what happened with Travelex.

In that scenario, any operations connected to or dependent upon information contained in these servers would halt until the situation was resolved. This could be very expensive for Monsoon, depending on the price the hackers charge, or they may employ alternatives that in any case would take days or weeks to fix.

Besides the likely ransomware, bad actors could also:

• Sell the business and customer data on the blackmarket
• Potentially use customers’ reward cards and voucher numbers for themselves, or sell them online
• Bruteforce passwords for Remote Desktop Protocol (RDP) servers and access sensitive servers that were intended to be protected over the VPN connection
• With more time and effort, attack their online shops to install payment detail phishing scripts, which would allow them to steal customers’ payment information

Disclosure

We informed Monsoon Accessorize of their vulnerability multiple times, but received no reply and no action. 

Beginning on May 28, we attempted to first contact Monsoon via email, including two follow-up emails. Then, we attempted to reach them on their company Twitter beginning May 29, but received no response.

After that, we attempted to call them using two phone numbers listed on their websites, but to no avail. Finally, we contacted the UK’s National Cyber Security Centre on June 3, which handles cybersecurity issues and can help get ethical hackers in contact with vendors. However, we received no response from them either.

At the time of publication, the vulnerability remains and we have received no response from their side.

Recommendations

Unfortunately, there’s nothing much you can do as a Monsoon Accessorize customer. The vulnerability and the fix rests entirely on their side.

However, if you have shared your personal details – your name, email address, phone number or more – with Monsoon Accessorize, we recommend you monitor your data to make sure that your information hasn’t been leaked.

Make sure to check if there has been any strange activity connected to your online accounts, such as login attempts from strange locations or offbeat emails from your financial institutions that may turn out to be phishing emails. If so, change your passwords immediately and contact your bank to protect your account. To prevent further similar situation we strongly recommend to use safe and secure VPN services.

Disclaimer:
We meticulously research our stories and endeavor to present an accurate picture for our readers.  We’re also human, and if you believe we have made a factual error (as opposed to disagreeing with an opinion), please contact us so that we may investigate and either correct or confirm the facts. Please reach out to us by using our Contact Us page.