VPN Vulnerabilities - The Gift That Keeps on Giving to Attackers

What’s the latest update?

• Earlier this month, a hacker posted a list of IP addresses from almost 50,000 Fortinet VPN devices that are vulnerable to a path traversal vulnerability (CVE-2018-13379).
• During the investigation, it was found that the targeted domains belonged to high street banks and government organizations from around the world.
• The exploit posted by the hacker could let attackers access the sslvpn_websession files from Fortinet VPNs to steal login credentials. Those stolen credentials could then be used to compromise a network and deploy ransomware.

What does this indicate?

• Malicious actors can exploit the vulnerability and cause serious downtime resulting in significant financial loss.
• Since VPN endpoints play a crucial role in business infrastructure, compromise of even a single endpoint may lead to taking over the entire domain or network.

A new twist in the tale

• In mid-October, the U.S. government warned of new APT attacks that combined exploits for VPN products with the recently discovered Zerologon bug.
• The advisory noted that after gaining initial access through the Zerologon flaw, actors leveraged vulnerabilities in VPNs to access the environment with the compromised credentials.
• Furthermore, CISA revealed that VPN products from Juniper, Pulse Secure, Citrix NetScaler, and Palo Alto Networks could be chained with Zerologon to achieve the same result.

Unpatched Zero-day flaw adds more concern

• Zero-day vulnerabilities present serious risks and this issue becomes more serious when security patches are not released on time.
• For instance, Cisco reported a zero-day vulnerability in its AnyConnect Secure Mobility Client VPN product without releasing a fix.
• Though the security flaw has not been exploited yet, the proof-of-concept is publicly available, which opens up risks of cybercriminals potentially leveraging the flaw.

The bottom line