APT Actors Actively Exploiting GlobalProtect, Pulse Connect, Fortigate VPN Vulnerabilities

Advanced persistent threat (APT) actors are taking advantage of flaws in widely used VPN products provided by FortiGuard, Palo Alto and Pulse Secure to obtain control of vulnerable Internal networks and VPNs.

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) together with other cybersecurity institutions published security alerts regarding a number of vulnerabilities in VPN products in the summer of 2019; nonetheless, plenty of companies were slow in doing what is required. Weaponized functions for the vulnerabilities were created and are being utilized by APT actors. The exploit code is easily obtainable over the web on GitHub and also the Metasploit framework.

The UK’s National Cyber Security Centre gave on October 1, 2019 an alert concerning the vulnerabilities after multiple attacks on the military, government agencies, firms, and the education and medical care industries. The National Security Agency (NSA) likewise gave a security bulletin on October 7 regarding the vulnerabilities with mitigations.

The vulnerabilities are found in obsolete versions of the Palo Alto GlobalProtect VPN (CVE-2019-1579), the Pulse Secure VPN (CVE-2019-11538 and CVE-2019-11508), and the Fortinet Fortigate VPN (CVE-2018-13382, CVE 2018-13379, CVE-2018-13383).

The bulletin did not say who are the APT actors behind the attacks, however, there were reports that APT5, the Chinese APT group, were targeting Fortinet and Pulse Secure VPNs.

The weaponized exploits enable APT actors to access arbitrary files, such as those comprising authentication credentials. Those data could then be employed to access vulnerable VPNs, alter settings, hijack encrypted traffic sessions, remotely execute code, and link to other network systems.

The vulnerabilities are dangerous and call for prompt action to avert exploitation. The NSA security bulletin directs all establishments that employ any of the previously mentioned products to see if they’re using the newest versions of VPN operating systems; if not, they must upgrade without delay.

The NSA bulletin additionally provides details on the necessary steps to check if the vulnerabilities were exploited already and actions to undertake when an attack is detected. In case a threat actor already took advantage of a vulnerability and has acquired credentials, upgrading to the most current OS version will not keep those credentials from getting utilized.

The NSA hence recommends all entities using vulnerable VPN versions to reset credentials right after the upgrade and prior to relinking to the external network as a preventive measure, given that it might be hard to determine a historic attack from the log files.

Administrator, user, and service account credentials ought to be reset. VPN server keys and certificates ought to be promptly terminated and regenerated. When of an alleged compromise, accounts must be examined to verify if the attacker has generated new accounts.

The NSA has furthermore presented instructions for deployment of public-facing VPN as well as long-term hardening controls.