NSCS Warns Vulnerable VPNs are Being Targeted by APT Groups

The UK’s National Cyber Security Center (NCSC) has issued a warning following an increase in cyberattacks exploiting vulnerabilities in virtual private networks (VPNs).

The NCSC has been investigating attacks by Advanced Persistent Threat (APT) actors who are targeting government agencies and the military, healthcare organizations, educational institutions, and businesses. These entities typically use VPNs to improve security, yet some of these solutions are leaving organizations open to attack.

NCSC warns that the vulnerabilities are present in VPNs from vendors Fortinet, Pulse Secure, and Palo Alto Networks and states that the flaws are well documented in open source. By exploiting the flaws, an attacker can retrieve arbitrary files including those containing authentication credentials. If those credentials are obtained, they can be used to connect to internal infrastructure and steal data or gain network access and use secondary exploits to access a root shell.

NCSC warns that the exploits for the vulnerabilities are in the public domain for the CVE’s listed below. The list is not exhaustive, and exploits may exist for other vulnerabilities.

Pulse Connect Secure users are being attacked through the exploitation of CVE-2019-11510 and CVE-2019-11539; Fortinet through CVE-2018-13379, CVE-2018-13382, and CVE-2018-13383, and Palo Alto through CVE-2019-1579. In all cases, the vulnerabilities can be exploited remotely without authentication.

Patches have been issued to correct all the above vulnerabilities, but many entities have been slow to apply those patches. Scans conducted by security researchers have revealed there are thousands of vulnerable VPN servers despite several security warnings about the flaws having been issued.

Not only are users vulnerable to attack, attacks may already have been conducted. NCSC suggests all users of the above solutions should carefully check their logs for evidence of a compromise unless the patches for the above vulnerabilities were applied as soon as they were released.

Users of the vulnerable products should ensure all security patches released by vendors are applied quickly. They should also reset authentication credentials associated with vulnerable VPNs and any accounts that connect through them as a precaution, as it may be difficult to determine whether the vulnerabilities have already been exploited.

The U.S Department of Homeland Security has responded to the warning by issuing one of its own, urging U.S. organizations to check to make sure they are not running a vulnerable VPN and to review security advisories and apply necessary firmware updates.

The NCSC warning, which includes details of the affected products, flaws, and mitigations can be viewed on this link.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news