APT groups exploiting VPNs to carry out cyber attacks

NCSC and NSA warn that services from Palo Alto, Fortinet and Pulse Secure are vulnerable

VPN log in screen displayed on a computer screen

The National Cyber Security Centre (NCSC) and the National Security Agency (NSA) have both issued warnings about vulnerabilities that exist in some versions of widely-used virtual private network (VPN) services.

Highly severe flaws across the VPN services developed by Palo Alto Networks, Fortinet and Pulse Connect Secure top the list of vulnerabilities have been exploited by attackers to gain access to vulnerable devices.

The flaws identified by the NCSC stem from vulnerabilities that allow an attacker to retrieve arbitrary files by exploiting the VPN, including documents that could contain user credentials.

These stolen credentials can then be used to connect to the VPN and change settings, as well as connect with other infrastructure. Such a connection could also give attackers access to privileges needed to run secondary exploits that target access to the root shell.

"Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release," the NCSC advisory said.

"Administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times. Snort rules are available in open source but may not pick up events for exploits over HTTPS."

The agency has also advised system administrators who suspect there may have been exploitation to revoke credentials that were at risk of theft, including both user and administrative credentials. Resetting credentials will protect against unauthorised access using credentials acquired before affected systems could have been patched.

"Pulse Secure are aware of and appreciated the reports published by NCSC," a spokesperson said.

"The more customers are made aware of severity of the vulnerabilities and the patch fix Pulse Secure had made available since April 24, 2019, the more motivated customers will be to take necessary and immediate mitigation action by upgrading their VPN system."

Related Resource

Why UEM is the key to enterprise IT security

A guide to effective endpoint security

Download now

The NSA, in its assessment, honed in on three critical Pulse Secure flaws that have been "weaponised" by nation state-sponsored cyber criminals. These vulnerabilities would allow for remote arbitrary file downloads and remote code execution on gateways.

The US agency also highlighted one critical vulnerability in Palo Alto GlobalProtect VPN that allowed for remote code execution, and another flaw in Fortinet Fortigate VPN devices.

"Our customer's security is our first priority and we urge customers to immediately implement all appropriate patch updates and signatures," Fortinet said.

"In addition to industry-leading best practices, we follow and comply with regular review processes that include multiple tiers of inspection, internal and third-party audits, and automated triggers and tools across the entire development of our source code."

The company added that it has recently improved its security practices, including the introduction of annual secure code training, a bug identification incentive programme, and automated monitoring of vulnerability landscape.

IT Pro also approached Palo Alto Networks for comment.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021