APT Groups Are Exploiting Vulnerabilities in Enterprise VPN Products, the UK NCSC Warns

• APT actors are targeting the UK and other international organizations in the healthcare sector, educational sector, government, and military.
• The vulnerabilities exist in several VPN products that allow an attacker to retrieve arbitrary files containing sensitive data including authentication credentials.

What is the issue?

The UK’s National Cyber Security Centre (NCSC) has warned that Advanced persistent threat (APT) groups have been exploiting recently disclosed vulnerabilities affecting enterprise VPN products from Fortinet, Palo Alto Networks and Pulse Secure.

A brief overview

APT actors are targeting the UK and other international organizations in the healthcare sector, educational sector, government, and military. The vulnerabilities exist in several VPN products that allow an attacker to retrieve arbitrary files containing sensitive data including authentication credentials.

• Such credentials could allow an attacker to connect to the VPN and change configuration settings.
• Unauthorized connection to a VPN could also allow an attacker to gain privileges required to run secondary exploits aimed at accessing a root shell.

More details on the vulnerabilities

The list of vulnerabilities that are being exploited include:

• The pre-auth arbitrary file reading vulnerability (CVE-2019-11510) in Pulse Connect Secure.
• The post-auth command injection vulnerability (CVE-2019-11539) in Pulse Connect Secure.
• The pre-auth arbitrary file reading vulnerability (CVE-2018-13379) in Fortinet
• A vulnerability (CVE-2018-13382) in Fortinet that allows an attacker to change the password of an SSL VPN web portal user.
• The post-auth heap overflow vulnerability (CVE-2018-13383) in Fortinet.
• The CVE-2019-1579 vulnerability in Palo Alto Networks GlobalProtect Portal

Mitigations

• The NCSC recommends users of these VPN products to monitor their logs, network traffic, and services used to connect through the VPNs for any evidence of compromise.
• In case of any evidence, it is best to factory reset (or wipe) the device and reset authentication credentials associated with the affected VPNs.
• Users are advised to check all configuration options for unauthorized changes.
• In order to avoid exploitation, the agency recommends enabling two-factor authentication for VPNs and disabling unwanted functionality and ports on the VPN.
• The agency also advises the users to update their products to the latest security patches.

“System administrators who suspect that exploitation may have occurred or cannot rule out this possibility should revoke credentials that were at risk of theft. This may include both administrative and user credentials. Resetting authentication credentials will defend against unauthorised access using credentials acquired prior to patching affected systems,” NCSC said.