U.S. and U.K. agencies warn consumers to update VPN technologies from Fortinet, Pulse Secure and Palo Alto Networks.
State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.
The National Security Agency (NSA) issued a Cybersecurity Advisory Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August–CVE-2019-11539, CVE-2019-11510 and CVE-2018-13379–to gain access to vulnerable VPN devices. The first two affect Pulse Secure VPNs while the third affects Fortinet technology.
The National Cyber Security Centre in the United Kingdom posted a separate warning about the threats, which stem from vulnerabilities that allow “an attacker to retrieve arbitrary files, including those containing authentication credentials,” according to the post.
The flaws allow an attacker to use those stolen credentials to connect to the VPN and change configuration settings or even connect to other infrastructure on the network, authorities warned. Through this unauthorized connection, an attacker could gain privileges to run secondary exploits that could allow them to access a root shell.
The U.K.’s alert added two more Fortinet vulnerabilities to the list–CVE-2018-13382 and CVE-2018-13383—as well as a Palo Alto Networks VPN flaw, CVE-2019-1579.
Authorities offered a series of mitigation techniques for the vulnerabilities, which they said should be taken very seriously by users of these products.
To mitigate attacks against all of the existing threats, officials recommend a couple of basic steps: apply any existing patches for VPNs in use that could be at risk, and update existing credentials. The NSA also recommended revoking existing VPN server keys and certificates and generating new ones.
A more comprehensive list of mitigation techniques recommended by the NSA also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols and self-signed and wild card certificates for public-facing VPN web applications; requiring mutual certificate-based authentication so remote clients attempting to access the public-facing VPN web application must present valid client certificates to maintain a connection; and using multi-factor authentication to prevent attackers from authenticating with compromised passwords by requiring a second authentication factor.
Neither the NSA nor the National Cyber Security Centre alerts identified which groups are responsible for the attacks.
The warnings come after reports surfaced last month that APT5 was targeting VPNs from Fortinet and Pulse Secure after code for two of the aforementioned vulnerabilities was disclosed in a presentation at the Black Hat Security Conference (The two companies have patched those flaws, and in the case of Pulse Secure, issued the fixes in April, three months before Black Hat.).
APT5, a Chinese state-sponsored group also known as Manganese, has been active since 2007 with a particular focus on technology and telecommunications companies, according to a report by FireEye.