APT Actors Actively Exploiting Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities

Advanced persistent threat (APT) actors are exploiting vulnerabilities in popular VPN products offered by FortiGuard, Pulse Secure, and Palo Alto to gain access to vulnerable VPNs and internal networks.

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) along with other cybersecurity agencies gave security warnings concerning several vulnerabilities in VPN products for the summer of 2019; nevertheless, a lot of businesses were slow in taking action. Weaponized uses for the vulnerabilities were developed and are being employed by APT actors. The exploit code is readily accessible over the internet on GitHub as well as the Metasploit framework.

The UK’s National Cyber Security Centre published on October 1, 2019 an advisory regarding the vulnerabilities after a number of attacks on government institutions, the military, companies, and the education and healthcare industries. The National Security Agency (NSA) additionally issued a security warning on October 7 concerning the vulnerabilities together with mitigations.

The vulnerabilities are seen in out-of-date versions of the Palo Alto GlobalProtect VPN (CVE-2019-1579), the Pulse Secure VPN (CVE-2019-11508 and CVE-2019-11538), and the Fortinet Fortigate VPN (CVE 2018-13379, CVE-2018-13382, CVE-2018-13383).

The advisory did not mention who are the APT actors to blame for the attacks, though there were reports that APT5, the Chinese APT group, were attacking Pulse Secure and Fortinet VPNs.

The weaponized exploits permit APT actors to obtain arbitrary files, which include those that contain authentication credentials. That information can then be utilized to access vulnerable VPNs, modify configurations, hijack encrypted traffic sessions, remotely execute code, and connect to other network infrastructure.

The flaws are really serious and demand speedy action to avoid exploitation. The NSA security warning instructs all institutions that use any of the earlier mentioned products to check whether they’re running the most recent versions of VPN operating systems; if not, they need to upgrade right away.

The NSA warning likewise provides data on the required actions to check whether the vulnerabilities were exploited already and steps to take in case an attack is identified. When a threat actor already exploited a vulnerability and has obtained credentials, upgrading to the most recent OS version will not stop those credentials from getting used.

The NSA consequently instructs all entities operating vulnerable VPN versions to reset credentials following the upgrade and before hooking up again to the external network as a safety measure, considering that it may be difficult to recognize a historic attack from the log files.

User, administrator, and service account credentials must be reset. VPN server keys and certificates must be quickly canceled and regenerated. In case of a suspected compromise, accounts ought to be rechecked to know whether the attacker has made new accounts.

The NSA has likewise given recommendations for deployment of public-facing VPN and long-term hardening controls.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone