Account Takeover Fraud , Cloud Security , Cybercrime

Unpatched VPN Servers Targeted by Nation-State Attackers

Pulse Secure, Palo Alto and Fortinet Devices Being Hit by APT Groups, NCSC Warns

Pulse Secure VPN servers vulnerable to CVE-2019-11510, based on Sept. 30, 2019, scan results (Source: Bad Packets)

Nation-state attackers continue to target virtual private networking servers that have not yet been patched to fix known flaws.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

Advanced persistent threat actors are continuing their exploit attempts against name-brand VPNs used by organizations around the world, Britain's National Cyber Security Center, which provides public and private incident response support to U.K. organizations, warned on Wednesday.

"The NCSC is investigating the exploitation by APT actors of known vulnerabilities affecting VPN products from vendors Pulse Secure, Palo Alto and Fortinet," reads the alert issued by the NCSC, which is part of Britain's GCHQ intelligence agency. "This activity is ongoing, targeting both U.K. and international organizations. Affected sectors include government, military, academic, business and healthcare."

As the NCSC alert notes, unpatched VPN servers from all three vendors can be remotely exploited by attackers, without having to authenticate to the device, to steal credentials and use them to access a device, as well as alter credentials and connect to other enterprise infrastructure. "Unauthorized connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell," it says.

CISA Urges Immediate Patching

The U.S. Cybersecurity and Infrastructure Security Agency has pointed to the NCSC alert and advised all U.S. organizations to immediately assess whether they have unpatched systems. "CISA encourages administrators to review the NCSC alert for more information and to review the ... security advisories and apply the necessary updates," CISA says.

The NCSC alert follows security researchers at Microsoft in August warning that APT5, which appears to be linked to the Chinese government, began targeting unpatched Pulse Secure and Fortinet products servers in mid-July, if not earlier. APT5 is also referred to as Manganese by Microsoft, and PittyTiger and Pitty Panda by other security firms (see: Chinese APT Group Began Targeting SSL VPN Flaws in July).

Since August, security experts have been urging organizations to patch vulnerable Fortinet and Pulse Secure equipment (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).

But the NCSC alert notes that a recently fixed flaw in Palo Alto Networks GlobalProtect Portal is also being actively targeted by APT attackers. Specifically, products running a vulnerable version of PAN-OS, the software that runs all Palo Alto Networks next-generation firewalls, which have GlobalProtect Portal or GlobalProtect Gateway Interface enabled, can be exploited to "allow an unauthenticated remote attacker to execute arbitrary code," according to a CVE alert.

Patches Released

Palo Alto first patched the flaw on July 17 via patched versions of PAN-OS, although it failed to issue a security notification to customers, NCSC notes. Affected products include:

Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19;

Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12;

Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3.

Any organization that didn't immediately patch may have been hacked, NCSC warns. "It may be difficult to detect past exploitation in logs," it says. "But failed exploit attempts may cause a crash, which could be visible in logs."

Flaws from the other two vendors were disclosed and patched earlier, backed by security notifications: In April, Pulse Secure released patches for Pulse Connect Secure, previously known as Juniper SSL Virtual Private Network. In April and May, Fortinet released updates to patch flaws in FortiOS.

Both companies have urged customers to immediately install the firmware updates. Pulse Secure also says it will assist any customers that require help - even if they are no longer paying for customer support.

VPN Flaws: Patch Now

Pulse Connect Secure

CVE-2019-11510: Pre-auth arbitrary file reading.

CVE-2019-11539: Post-auth command injection.

Fortinet

CVE-2018-13379: Pre-auth arbitrary file reading.

CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.

CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

Palo Alto

CVE-2019-1579: Palo Alto Networks GlobalProtect Portal.

Hack Mitigation: Reset Admin and User Credentials

Even for organizations that have applied the relevant patches, NCSC recommends that security teams review whether they were hacked after the patches were released, but before they were applied.

"Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release," says the NCSC, which in its security alert includes additional guidance for each set of affected products. "Administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times. Snort rules are available in open source, but may not pick up events for exploits over HTTPS."

For any organization that suspects that systems may have been exploited prior to being patched - or which cannot prove definitively otherwise - the expert advice is to reset all VPN credentials.

"System administrators who suspect that exploitation may have occurred or cannot rule out this possibility should revoke credentials that were at risk of theft. This may include both administrative and user credentials," the NCSC says. "Resetting authentication credentials will defend against unauthorized access using credentials acquired prior to patching affected systems."

Same Researchers Discovered All Flaws

Researchers Meh Chang (@mehqq_) and Orange Tsai (@orange_8361) of the Taipei City, Taiwan-based consultancy Devcore discovered the flaws in all three vendors' products and reported them to vendors, withholding publishing their research until patches were issued prepared.

Since then, sample code for exploiting the flaws has been released by independent security researchers. Even before then, however, at least some nation-state attackers appeared to have already begun targeting the flaws.

So, we wrote an #exploit for the Pulse Connect Secure SSL VPN arbitrary file read vulnerability (#CVE-2019-11510). Take it for a spin: https://t.co/ErndDCBSz0 pic.twitter.com/yI8t1Cpoyr — Bishop Fox (@bishopfox) September 16, 2019

Unpatched Devices Persist

By late August, Troy Mursch of Chicago-based threat intelligence firm Bad Packets warned that his firm's honeypots had detected opportunistic, large-scale mass scanning activity by hackers looking for Pulse Secure VPN SSL servers. Despite ongoing warnings, however, numerous unpatched devices still remain at large.

Bad Packets on Oct. 4 reported that "thousands of Pulse Secure VPN servers worldwide remain vulnerable to CVE-2019-11510." As of Sept. 30, it counted at least 6,527 vulnerable Pulse Secure VPN endpoints across 4,328 unique domains. The greatest number of Pulse Secure VPNs it was seeing was by far in the United States, followed by Japan and the United Kingdom.

Total vulnerable Pulse Secure VPN servers by country:

United States: 2,142

Japan: 845

United Kingdom: 474

France: 292

South Korea: 265

Germany: 207

China: 186

Belgium: 163

Canada: 156

Switzerland: 147

All others: 1,655https://t.co/25Bwl6X7vC — Bad Packets Report (@bad_packets) September 30, 2019

Serious Risk Posed by 'Medium Impact' Flaw

Incident response expert David Stubley has urged organizations to patch all of the flaws cited in the NCSC alert, regardless of the official severity rating for any of the vulnerabilities.

In particular, he calls out CVE-2018-13379, designated FG-IR-18-384 by Fortinet. "It's worth highlighting that CVE-2018-13379 is only flagged as being a medium-impact issue, however it is trivial to extract plaintext usernames and passwords - no authentication required - and use those to gain access to the enterprise," says Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements. "This can be targeted as a standalone issue with no need to chain any other attacks together."

Stubley says his firm began warning customers about this flaw several weeks before the NCSC released its alert, recommending that they immediately apply the patch.

Fortinet didn't immediately respond to a request for comment about why this flaw has only been designated as posing a medium-impact risk.

Poor Password Hygiene

For that single flaw, Stubley says his internet scans have found at least 26,000 vulnerable devices globally, out of 206,000 total devices. Within the U.K., he says, out of 3,613 devices spotted by his scans, 704 remain vulnerable.

One problem is that the flaw can be abused by remote attackers to extract plaintext usernames and passwords from unpatched Fortinet devices. But Stubley says he's also grabbed - but not used - passwords from vulnerable systems, and found widespread evidence of poor password hygiene. "One example of a password we found was 'Welcome2019,'" he tells Information Security Media Group.

Out of 60,000 unique credentials extracted globally by his scans, nearly 800 were based in some part on the word "password," while more than 4,000 referenced "2019."

One risk is that organizations that have chosen such weak passwords may also be reusing them across systems, such as for Office 365 administrator accounts, he warns (see: Credential Stuffing Attacks: How to Combat Reused Passwords).

Stubley says the mismatch between the assessed "medium" impact risk posed by this flaw and its potential for having a serious real-world impact highlights how security teams cannot rely solely on automated security tools when pursuing vulnerability management. "Without intelligent, human analysis of the raw output, potentially critical issues can be missed," he says.