<div dir="ltr"><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span></span></div><div dir="ltr"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><a href="https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/">https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/</a><br></div></div><div dir="ltr"><br></div><div dir="ltr"><div class="gmail-c-article__intro" name="overview" style="box-sizing:inherit;color:rgb(51,51,51)"><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;color:rgb(119,119,119);word-break:break-word"><font face="arial, sans-serif" style="">U.S. and U.K. agencies warn consumers to update VPN technologies from Fortinet, Pulse Secure and Palo Alto Networks.</font></p></div><div class="gmail-c-article__content gmail-js-reading-content" style="box-sizing:inherit;color:rgb(51,51,51)"><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">The National Security Agency (NSA) issued a <a href="https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">Cybersecurity Advisory</a> Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August–<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11539" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">CVE-2019-11539</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">CVE-2019-11510</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">CVE-2018-13379</a>–to gain access to vulnerable VPN devices. The first two affect Pulse Secure VPNs while the third affects Fortinet technology.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">The National Cyber Security Centre in the United Kingdom posted <a href="https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">a separate warning</a> about the threats, which stem from vulnerabilities that allow “an attacker to retrieve arbitrary files, including those containing authentication credentials,” according to the post.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">The flaws allow an attacker to use those stolen credentials to connect to the VPN and change configuration settings or even connect to other infrastructure on the network, authorities warned. Through this unauthorized connection, an attacker could gain privileges to run secondary exploits that could allow them to access a root shell.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">The U.K.’s alert added two more Fortinet vulnerabilities to the list–<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13382" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">CVE-2018-13382</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13383" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">CVE-2018-13383</a>—as well as a Palo Alto Networks VPN flaw, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">CVE-2019-1579</a>.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">Authorities offered a series of mitigation techniques for the vulnerabilities, which they said should be taken very seriously by users of these products.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">To mitigate attacks against all of the existing threats, officials recommend a couple of basic steps: apply any existing patches for VPNs in use that could be at risk, and update existing credentials. The NSA also recommended revoking existing VPN server keys and certificates and generating new ones.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">A more comprehensive list of mitigation techniques recommended by the NSA also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols and self-signed and wild card certificates for public-facing VPN web applications; requiring mutual certificate-based authentication so remote clients attempting to access the public-facing VPN web application must present valid client certificates to maintain a connection; and using multi-factor authentication to prevent attackers from authenticating with compromised passwords by requiring a second authentication factor.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">Neither the NSA nor the National Cyber Security Centre alerts identified which groups are responsible for the attacks.</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif">The warnings come after <a href="https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">reports surfaced</a> last month that APT5 was targeting VPNs from Fortinet and Pulse Secure after code for two of the aforementioned vulnerabilities was disclosed in a presentation at the Black Hat Security Conference (The two companies since patched those flaws).</font></p><p style="box-sizing:inherit;margin:0px 0px 1.25rem;padding:0px;word-break:break-word"><font face="arial, sans-serif" style="">APT5, a Chinese state-sponsored group also known as Manganese, has been active since 2007 with a particular focus on technology and telecommunications companies, according to a <a href="https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" target="_blank" rel="noopener noreferrer" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(226,33,28)">report</a> by FireEye.</font></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>