If your employees are using virtual private networks (VPNs) from Fortinet, Palo Alto, or Pulse Secure, you really need to patch the products and search through system logs for signs of compromise.
As ZDNet reported in September, a group of Chinese state-backed hackers known as APT5 have been attacking enterprise VPN servers using Fortinet and Pulse Secure products.
But APT5 might not be the only state-sponsored hacking group attempting to use the flaws. The UK’s National Cyber Security Centre (NCSC), a unit of UK spy agency GCHQ, is now warning organizations that Palo Alto’s GlobalProtect portal and GlobalProtect Gateway interface products are also under attack by state-sponsored attackers.
“This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business, and healthcare. These vulnerabilities are well documented in open source,” NCSC warns.
NCSC highlights six of the highest-impact vulnerabilities across the products that are being exploited by APT groups.
Patches for each vulnerability are available, and the agency is recommending admins update immediately to avoid compromise because exploit code for the bugs is available on the internet.
Some of the bugs were detailed at Black Hat USA in August, shortly before attacks on Fortinet and Pulse Secure were first detected.
The VPN flaws would allow attackers to gain authentication credentials that can be used to connect to the VPN and change configuration settings or provide privileges to use additional exploits to gain a root shell.
The bugs include two flaws affecting the Pulse Connect Secure VPN, CVE-2019-11510 and CVE-2019-11539; three vulnerabilities in Fortinet’s Fortigate devices, CVE-2018-13379, CVE-2018-13382 and CVE-2018-13383; and a critical remote code execution bug in Palo Alto’s GlobalProtect portal and GlobalProtect Gateway interface products, CVE-2019-1579.
In light of the attacks, the NCSC has provided detailed and product-specific instructions for admins to check logs for signs of past exploitation.
For example, for CVE-2019-11510 affecting Pulse Secure, it suggest search logs for “URLs containing ? and ending with /dana/html5acc/guacamole/ (Regular Expression: ?.*dana/html5acc/guacamole/)”.
“If any are found dated before the patch was applied, it may indicate a compromise. The matching string will contain the name of the file the attacker attempted to read,” it notes.
The Fortinet bug CVE-2018-13379 may have been exploited if admins find that sslvpn_websession was downloaded. The file is at least 200kB in size and contains the usernames and passwords of active users.
For Palo Alto VPNs, it recommends searching logs for past crashes, which may have been caused by failed exploit attempts.
The NCSC is recommending organizations targeted by state-backed hackers to check all VPN settings and carry out checks on logs for services such as email that users connect to the network through a VPN.
It also recommends wiping devices if they may have been compromised. Additionally, organizations should implement two-factor authentication for VPNs and disable unnecessary functionality and ports on the VPN.