Updated October 21, 2019 – The U.S. and U.K. spy agencies have issued separate cybersecurity advisories on 10/21/2019 urging users to patch and mitigate the VPN holes discussed below. The NSA advisory (PDF) warns that “multiple nation-states advanced persistent threat (APT) actors have weaponized” the flaws. The U.K.’s National Cyber Security Centre (NCSC) advisory is here.
—
Updated September 29, 2019 – SafeBreach Labs discovered a vulnerability in Forcepoint’s VPN client software. The flaw will give attackers unfettered access to its users’ Windows computers.
In its article detailing the bug, Forcepoint explained The flaw enables an attacker to insert their own executable which will run with administrative privileges, giving the attackers administrative access to the system. Forcepoint gave the bug a CVE number of 2019-6145 and a base severity score of 6.7. According to a Forcepoint knowledge base article, the flaw is patched in version 6.6.1 of the Forcepoint VPN Client for Windows.
—
Updated September 10, 2019 – ZDNet is reporting that the Chinese state-sponsored hacker group APT5 is targeting enterprise VPN servers from Fortinet and Pulse Secure since the security flaws discussed below became public knowledge last month. FireEye reports (PDF) that APT5 has been active since 2007 and has targeted multiple industries.
APT5 was reportedly one of the first to start scanning the internet and then later attempt to exploit vulnerabilities in the Fortinet and Pulse Secure VPN servers. The attackers sought to steal files storing password information or VPN session data from the affected products. These files would have allowed attackers to take over vulnerable devices.
—
Everybody loves their virtual private networks. SSL VPNs provide a convenient way for business users to connect to corporate networks while out of the office. A recent study by FlexJobs found 30% of workers have left a job because it did not offer flexible work options like remote work. Further, the report said, that 80% of staff would be more loyal to their employers if they had flexible work options and 52% of workers have tried to negotiate flexible work arrangements with their employer.
Hackers love VPNs too
Last month VPNpro found that the majority of VPN services have close ties to China. CSO Online points out that if you are running a VPN that is developed and owned in China, then there is a serious chance that your information is not as private as you think. Every technology company that operates within China, including ISPs, are required to comply with any Chinese governmental request for data. That includes your data. The Chinese government has a long and well-documented history of hacking, favoring, and helping local businesses at the expense of foreign companies.
VPNpro also found that some Chinese firms own different VPNs split among different subsidiaries. For example, the Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove, and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows.
China is not the only concern
VPNpro also found that seven of the top VPN services are owned by Gaditek, based in Pakistan. This means the Pakistani government can legally access any data without a warrant and data can also be freely handed over to foreign institutions, according to VPNpro.
VPNpro identified a further four companies: Super VPN & Free Proxy, Giga Studios, Sarah Hawken, and Fifa VPN, which together own 10 VPN services – where the parent company, and therefore the company of origin, is completely hidden.
If that is not scary enough – There are new reports that attackers are now targeting the devices used to attach VPNs to the network. Help Net Security reports that attackers are exploiting known flaws in Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations.
Flaws VPN installations
These attacks could allow attackers to steal passwords and gain full, remote access to an organization’s networks. Attackers have been targeting two vulnerabilities:
- CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure
- CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal.
Researchers Meh Chang and Orange Tsai at Taipei City, Taiwan-based consultancy Devcore reported the flaws to Fortinet on Dec. 11, 2018, and to Pulse Secure on March 22, 2019.
In an August 9, 2019 blog post the Devcore researchers recapped their Black Hat 2019 demonstration. Tsai told TechCrunch in an email, “The SSL VPN is the most convenient way to connect to corporate networks … it’s also the shortest path to compromise their intranet.”
Pulse Secure VPNs
Privately held California-based Pulse Secure released an update on April 24, 2019, to address these flaws and urged customers to upgrade all affected products “as soon as possible.” The vendor warned that aside from patching, no workaround would protect systems, “Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).”
Cyber threat intelligence firm Bad Packets has warned about activity aimed at vulnerable Pulse Connect Secure endpoints. So far they have found nearly 15,000 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 across all sectors of the U.S. This includes:
- U.S. military networks,
- Hospitals,
- Electric utilities,
- Financial institutions, and
- Fortune 500 companies.
Fortinet VPNs
Fortinet (FTNT) released a security advisory on May 24, 2019, to address these flaws and urged customers to update their firmware to safeguard themselves. In a blog post, the Devcore researchers wrote about the flaws they’d found in Fortinet devices, “In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.”
Independent British security researcher Kevin Beaumont told BankInfoSecurity he was tracking attacks against Fortigate servers. Beaumont reported seeing “the Fortigate SSL VPN backdoor being used in the wild” against one of his honeypots.
ZDNet claims the number of vulnerable FortiGate VPNs is believed to be in the hundreds of thousands, although we don’t have an exact stat about the number of unpatched systems that are still vulnerable to attacks.
rb-
This isn’t the first time that serious flaws have been found and patched in enterprise-grade networking gear. In 2016 researchers found a vulnerability in Fortinet’s FortiGate OS – that functioned as an SSH backdoor and researchers found an authentication bypass flaw in Juniper Networks (JNPR) ScreenOS firmware.
In April 2019, U.S. Homeland Security issued a warning about vulnerabilities in many major corporate VPN applications. The VPN apps from — Cisco (CSCO), Palo Alto Networks (PANW), Pulse Secure, and F5 Networks (FFIV)— improperly store authentication tokens and session cookies on a user’s computer.
Obviously, there is no time to waste: firms should update their vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations as soon as possible.
Security researcher Kevin Beaumont told BankInfoSecurity:
Lots of companies have the basics around patching Windows and Linux down, as they have vulnerability management platforms and agents … Those don’t extend to FortiOS and Pulse Secure. So they just don’t patch as they never see [vulnerabilities].
Maybe firms should get their VPN devices on a regular update schedule before they become Virtual Pwnd Networks.
Related Posts
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Fall is coming. Fall means football, leaf-peeping, cider and winter is coming. The season is also time to start that big project. New data from Redbooth maker of a web-based workplace collaboration tool says that Autumn is the most productive time to start a project. The San Francisco, CA-based firm looked at 1.8 million projects and 28 million tasks over a four-year period and quantified what a lot of us already intuitively know.
20% more productive in autumn than in winter
Redbooth found that October is the most productive month followed by September and November. The least productive time to start a project is in January. People complete 9.5% of tasks in October, while in January they only do 7.2%. The researchers surmised that it could be the holiday rush that pressures people into getting more done or perhaps even adults have that refreshed, back to school feeling in the fall.
This one is a bit more surprising. Even though don’t like Mondays, Redbooth says we work well on them. Monday is the most productive time to start a project. People reported completing the most tasks at 20.4%. Only 16.7% of tasks are completed on Fridays, making Friday nearly 20% less productive than Monday.
We work best just before Lunch. Productivity peaks at 11 AM with 9.7% of tasks completed. After that, the effects of food set in, and a slump tends to occur after 1 PM. After 1 PM, productivity never quite returns to its peak, due to the “post-lunch dip.”
