Share this article on:
Vulnerabilities in popular VPN products from Pulse Secure, FortiGuard, and Palo Alto are being actively exploited by advanced persistent threat (APT) actors to gain access to VPNs and internal networks.
The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies issued security advisories about multiple vulnerabilities in VPN products over the summer of 2019; however, many organizations have been slow to take action. Weaponized exploits for the vulnerabilities have now been developed and are being used by APT actors and exploit code is freely available online on GitHub and the Metasploit framework.
On October 1, 2019, the UK’s National Cyber Security Centre issued a warning about the vulnerabilities following several attacks on government agencies, the military, businesses, and the education and healthcare sectors. The National Security Agency (NSA) also issued a security advisory about the vulnerabilities along with mitigations on October 7.
The vulnerabilities are present in outdated versions of the Pulse Secure VPN (CVE-2019-11508 and CVE-2019-11538), the Palo Alto GlobalProtect VPN (CVE-2019-1579), and the Fortinet Fortigate VPN (CVE 2018-13379, CVE-2018-13382, CVE-2018-13383).
No mention was made about the APT actors responsible for the attacks, although there have been reports that the Chinese APT group APT5 has been conducting attacks on Pulse Secure and Fortinet VPNs.
The weaponized exploits allow APT actors to retrieve arbitrary files, including those containing authentication credentials. Those credentials can then be used to gain access to vulnerable VPNs, change configurations, remotely execute code, hijack encrypted traffic sessions, and connect to other network infrastructure.
The flaws are serious and require immediate action to prevent exploitation. The NSA security advisory urges all organizations using any of the above products to check to make sure they are running the latest versions of VPN operating systems and to upgrade immediately if they are not.
The NSA advisory also provides information on actions to take to check whether the flaws have already been exploited and steps to take if an attack is discovered. If a threat actor has already exploited one of the vulnerabilities and has obtained credentials, upgrading to the latest version of the OS will not prevent those credentials from being used.
The NSA therefore advises all entities running vulnerable VPN versions to reset credentials after the upgrade and before reconnection to the external network as a precaution, since it may be difficult to identify an historic attack from log files.
User, administrator, and service account credentials should be reset, and VPN server keys and certificates should be immediately revoked and regenerated. If a compromise is suspected, accounts should be reviewed to determine whether the attacker has created any new accounts.
The NSA has also provided recommendations for public-facing VPN deployment and long-term hardening controls.