[BreachExchange] APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn

Tue Oct 8 10:28:23 EDT 2019

https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/

U.S. and U.K. agencies warn consumers to update VPN technologies from
Fortinet, Pulse Secure and Palo Alto Networks.

State-sponsored advanced persistent threat (APT) groups are using flaws in
outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse
Secure to carry out cyber attacks on targets in the United States and
overseas, warned U.S. and U.K. officials.

The National Security Agency (NSA) issued a Cybersecurity Advisory
<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>
Monday
about the threats and offered mitigation suggestions, warning that multiple
APT actors have weaponized three critical vulnerabilities first published
in August–CVE-2019-11539
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11539>,
CVE-2019-11510
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510> and
CVE-2018-13379 <https://nvd.nist.gov/vuln/detail/CVE-2018-13379>–to gain
access to vulnerable VPN devices. The first two affect Pulse Secure VPNs
while the third affects Fortinet technology.

The National Cyber Security Centre in the United Kingdom posted a separate
warning <https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities> about the
threats, which stem from vulnerabilities that allow “an attacker to
retrieve arbitrary files, including those containing authentication
credentials,” according to the post.

The flaws allow an attacker to use those stolen credentials to connect to
the VPN and change configuration settings or even connect to other
infrastructure on the network, authorities warned. Through this
unauthorized connection, an attacker could gain privileges to run secondary
exploits that could allow them to access a root shell.

The U.K.’s alert added two more Fortinet vulnerabilities to the list–
CVE-2018-13382
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13382> and
CVE-2018-13383
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13383>—as well as
a Palo Alto Networks VPN flaw, CVE-2019-1579
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>.

Authorities offered a series of mitigation techniques for the
vulnerabilities, which they said should be taken very seriously by users of
these products.

To mitigate attacks against all of the existing threats, officials
recommend a couple of basic steps: apply any existing patches for VPNs in
use that could be at risk, and update existing credentials. The NSA also
recommended revoking existing VPN server keys and certificates and
generating new ones.

A more comprehensive list of mitigation techniques recommended by the NSA
also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols
and self-signed and wild card certificates for public-facing VPN web
applications; requiring mutual certificate-based authentication so remote
clients attempting to access the public-facing VPN web application must
present valid client certificates to maintain a connection; and using
multi-factor authentication to prevent attackers from authenticating with
compromised passwords by requiring a second authentication factor.

Neither the NSA nor the National Cyber Security Centre alerts identified
which groups are responsible for the attacks.

The warnings come after reports surfaced
<https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/>
last
month that APT5 was targeting VPNs from Fortinet and Pulse Secure after
code for two of the aforementioned vulnerabilities was disclosed in a
presentation at the Black Hat Security Conference (The two companies since
patched those flaws).

APT5, a Chinese state-sponsored group also known as Manganese, has been
active since 2007 with a particular focus on technology and
telecommunications companies, according to a report
<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf>
by
FireEye.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191008/b47e1769/attachment.html>