VPN Compromised — Are you Safe?
State sponsored hacking has been around for ages. It occurs when a nation’s government backs a cyber attack against another country or one of its departments. One such hacker team very active these days is the Chinese state-sponsored team called APT5. Their latest target? Virtual Private Networks. To be more precise, APT5 has heavily attacked enterprise VPN through Fortinet and Pulse Secure Products. In addition, UK’s National Cyber Security Centre (NCSC), a unit of UK spy agency GCHQ is now warning everyone that Palo Alto’s GlobalProtect portal and GlobalProtect Gateway interface products are also compromised.
NCSC goes on to advise that patches for each of the vulnerabilities be installed to secure VPNs and Gateways immediately. The intent of the attack against Fortinet was to gain illegal access to credentials, thereby intruding upon any VPN and making changes or granting privileges. Through infiltrating the VPN, attackers can easily gain access to the root shell, after which things can get dangerous really fast.
What’s the damage?
Thankfully, documentation for the vulnerabilities are openly available, and admins are being urged to take reparative actions immediately. Let us look at the actual vulnerabilities that are being exploited.
- There were two bugs having two flaws in the Pulse Connect Secure VPN: CVE-2019-11510 and CVE-2019-11539.
- Three vulnerabilities were present in Fortinet’s Fortigate devices, CVE-2018-13379, CVE-2018-13382 and CVE-2018-13383.
- A critical remote code execution bug was exposed in Palo Alto’s GlobalProtect portal and GlobalProtect Gateway interface products, CVE-2019-1579.
NCSC has provided detailed plans of action and elaborations on these vulnerabilities. As an example, they have elaborated on preventive measures for the Pulse Secure product vulnerabilities, by informing the masses to check for URLs containing certain patterns and resource paths. These URLs typically popup in logs of the VPN. The UK Agency says that if such an entry was found in the logs prior to security patches, you might be compromised. Similarly, other means of exploitation can be detected by the presence of certain files or repeated system crashes that were caught in the log.
Dealing with it
Almost every organization today enforces VPN to safeguard data transfer over the Internet. If you’re a business owner using products by the above-mentioned corporations, the following safety measures might be pertinent to you.
The NCSC recommends all organizations that are potentially under the radar of state-sponsored hackers to check all VPN settings and check all logs for services carried out over VPN. It also suggests completely scrubbing devices if they may have been compromised. Additionally, organizations should implement two-factor authentication for VPNs and disable unnecessary functionality and ports on the VPN.
Subscribing to third-party services for VPN security is also a sound idea. Organizations today are faced with growing complexities everywhere from continuously evolving automated targeted cyber threats on the network, applications & programs to keeping abreast with the most current security patch updates. You can catch VPN vulnerabilities with constant patch updates, regular VAPT checks, round the clock network health checks.
Logix since 1999, is a committed and acknowledged provider of managed services, solutions and products in the Cyber security space with a dedicated team of nearly 20+ professionals supporting Business enterprises across PAN India from Banks, Government entities to Financial Institutions. With a strong focus on research and innovation, we have built extensive capability around Big Data for Security Analytics, Response, and Security Automation. Our prime focus lies in managing & deploying NGFW solutions of multiple OEMs. We manage over 1500 + SMB/Mid-Enterprise / Enterprise Customers, providing constant monitoring & handhold support 24*7*365.
We are eager to service all your network security needs. Get in touch with us now!