APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn

Forcepoint vpn patch

U.S. and U.K. agencies warn consumers to update VPN technologies from Fortinet, Pulse Secure and Palo Alto Networks.

State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.

The National Security Agency (NSA) issued a Cybersecurity Advisory Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August–CVE-2019-11539, CVE-2019-11510 and CVE-2018-13379–to gain access to vulnerable VPN devices. The first two affect Pulse Secure VPNs while the third affects Fortinet technology.

The National Cyber Security Centre in the United Kingdom posted a separate warning about the threats, which stem from vulnerabilities that allow “an attacker to retrieve arbitrary files, including those containing authentication credentials,” according to the post.

The flaws allow an attacker to use those stolen credentials to connect to the VPN and change configuration settings or even connect to other infrastructure on the network, authorities warned. Through this unauthorized connection, an attacker could gain privileges to run secondary exploits that could allow them to access a root shell.

The U.K.’s alert added two more Fortinet vulnerabilities to the list–CVE-2018-13382 and CVE-2018-13383—as well as a Palo Alto Networks VPN flaw, CVE-2019-1579.

Authorities offered a series of mitigation techniques for the vulnerabilities, which they said should be taken very seriously by users of these products.

To mitigate attacks against all of the existing threats, officials recommend a couple of basic steps: apply any existing patches for VPNs in use that could be at risk, and update existing credentials. The NSA also recommended revoking existing VPN server keys and certificates and generating new ones.

A more comprehensive list of mitigation techniques recommended by the NSA also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols and self-signed and wild card certificates for public-facing VPN web applications; requiring mutual certificate-based authentication so remote clients attempting to access the public-facing VPN web application must present valid client certificates to maintain a connection; and using multi-factor authentication to prevent attackers from authenticating with compromised passwords by requiring a second authentication factor.

Neither the NSA nor the National Cyber Security Centre alerts identified which groups are responsible for the attacks.

The warnings come after reports surfaced last month that APT5 was targeting VPNs from Fortinet and Pulse Secure after code for two of the aforementioned vulnerabilities was disclosed in a presentation at the Black Hat Security Conference (The two companies have patched those flaws, and in the case of Pulse Secure, issued the fixes in April, three months before Black Hat.).

APT5, a Chinese state-sponsored group also known as Manganese, has been active since 2007 with a particular focus on technology and telecommunications companies, according to a report by FireEye.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

 

Suggested articles

Cyberattackers Put the Pedal to the Medal: Podcast

Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.

Operationalizing Threat Intelligence with User-Driven Automation

To truly achieve operationalized threat intelligence, an investment must be made in an underlying threat intelligence management platform that will enable an organization to harness the power of threat intelligence and translate that threat intelligence into action.