Tag Archive for FTNT

| August 31, 2019
Comments Off on Are Your VPNs – Virtual Pwnd Networks

Are Your VPNs – Virtual Pwnd Networks

Updated October 21, 2019 – The U.S. and U.K. spy agencies have issued separate cybersecurity advisories on 10/21/2019 urging users to patch and mitigate the VPN holes discussed below. The NSA advisory (PDF) warns that “multiple nation-states advanced persistent threat (APT) actors have weaponized” the flaws. The U.K.’s National Cyber Security Centre (NCSC) advisory is here.

Updated September 29, 2019 – SafeBreach Labs discovered a vulnerability in Forcepoint’s VPN client software. The flaw will give attackers unfettered access to its users’ Windows computers.

In its article detailing the bug, Forcepoint explained The flaw enables an attacker to insert their own executable which will run with administrative privileges, giving the attackers administrative access to the system. Forcepoint gave the bug a CVE number of 2019-6145 and a base severity score of 6.7. According to a  Forcepoint knowledge base article, the flaw is patched in version 6.6.1 of the Forcepoint VPN Client for Windows.

Updated September 10, 2019 –  ZDNet is reporting that the Chinese state-sponsored hacker group APT5 is targeting enterprise VPN servers from Fortinet and Pulse Secure since the security flaws discussed below became public knowledge last month. FireEye reports (PDF) that APT5 has been active since 2007 and has targeted multiple industries.

APT5 was reportedly one of the first to start scanning the internet and then later attempt to exploit vulnerabilities in the Fortinet and Pulse Secure VPN servers. The attackers sought to steal files storing password information or VPN session data from the affected products. These files would have allowed attackers to take over vulnerable devices.

Are Your VPNs - Virtual Pwnd NetworksEverybody loves their virtual private networks. SSL VPNs provide a convenient way for business users to connect to corporate networks while out of the office. A recent study by FlexJobs found 30% of workers have left a job because it did not offer flexible work options like remote work. Further, the report said, that 80% of staff would be more loyal to their employers if they had flexible work options and 52% of workers have tried to negotiate flexible work arrangements with their employer.

Great firewall of ChinaHackers love VPNs too

Last month VPNpro found that the majority of VPN services have close ties to China. CSO Online points out that if you are running a VPN that is developed and owned in China, then there is a serious chance that your information is not as private as you think. Every technology company that operates within China, including ISPs, are required to comply with any Chinese governmental request for data. That includes your data. The Chinese government has a long and well-documented history of hacking, favoring, and helping local businesses at the expense of foreign companies.

VPNpro also found that some Chinese firms own different VPNs split among different subsidiaries. For example, the Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove, and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows.

VPN attacksChina is not the only concern

VPNpro also found that seven of the top VPN services are owned by Gaditek, based in Pakistan. This means the Pakistani government can legally access any data without a warrant and data can also be freely handed over to foreign institutions, according to VPNpro.

VPNpro identified a further four companies: Super VPN & Free Proxy, Giga Studios, Sarah Hawken, and Fifa VPN, which together own 10 VPN services – where the parent company, and therefore the company of origin, is completely hidden.

If that is not scary enough – There are new reports that attackers are now targeting the devices used to attach VPNs to the network. Help Net Security reports that attackers are exploiting known flaws in Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations.

Flaws VPN installations

These attacks could allow attackers to steal passwords and gain full, remote access to an organization’s networks. Attackers have been targeting two vulnerabilities:

  • CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure
  • CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal.

Researchers Meh Chang and Orange Tsai at Taipei City, Taiwan-based consultancy Devcore reported the flaws to Fortinet on Dec. 11, 2018, and to Pulse Secure on March 22, 2019.

In an August 9, 2019 blog post the Devcore researchers recapped their Black Hat 2019 demonstration. Tsai told TechCrunch in an email, “The SSL VPN is the most convenient way to connect to corporate networks … it’s also the shortest path to compromise their intranet.

Pulse Secure VPNs

Pulse Secure logoPrivately held California-based Pulse Secure released an update on April 24, 2019, to address these flaws and urged customers to upgrade all affected products “as soon as possible.” The vendor warned that aside from patching, no workaround would protect systems, “Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).

Cyber threat intelligence firm Bad Packets has warned about activity aimed at vulnerable Pulse Connect Secure endpoints. So far they have found nearly 15,000 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 across all sectors of the U.S. This includes:

  • U.S. military networks,
  • Hospitals,
  • Electric utilities,
  • Financial institutions, and
  • Fortune 500 companies.

Fortinet VPNs

Fortinet logo

Fortinet (FTNT) released a security advisory on May 24, 2019, to address these flaws and urged customers to update their firmware to safeguard themselves. In a blog post, the Devcore researchers wrote about the flaws they’d found in Fortinet devices, “In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.”

Independent British security researcher Kevin Beaumont told BankInfoSecurity he was tracking attacks against Fortigate servers. Beaumont reported seeing “the Fortigate SSL VPN backdoor being used in the wild” against one of his honeypots.

ZDNet claims the number of vulnerable FortiGate VPNs is believed to be in the hundreds of thousands, although we don’t have an exact stat about the number of unpatched systems that are still vulnerable to attacks.

rb-

This isn’t the first time that serious flaws have been found and patched in enterprise-grade networking gear. In 2016 researchers found a vulnerability in Fortinet’s FortiGate OS – that functioned as an SSH backdoor and researchers found an authentication bypass flaw in Juniper Networks (JNPR) ScreenOS firmware.

Patch your systemsIn April 2019, U.S. Homeland Security issued a warning about vulnerabilities in many major corporate VPN applications. The VPN apps from — Cisco (CSCO), Palo Alto Networks (PANW), Pulse Secure, and F5 Networks (FFIV)— improperly store authentication tokens and session cookies on a user’s computer.

Obviously, there is no time to waste: firms should update their vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations as soon as possible.

Security researcher Kevin Beaumont told BankInfoSecurity:

Lots of companies have the basics around patching Windows and Linux down, as they have vulnerability management platforms and agents … Those don’t extend to FortiOS and Pulse Secure. So they just don’t patch as they never see [vulnerabilities].

Maybe firms should get their VPN devices on a regular update schedule before they become Virtual Pwnd Networks.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| July 28, 2015
Comments Off on Snoops Offer Security Tips

Snoops Offer Security Tips

Snoops Offer Security TipsIn one of the more ironic, notice I did not say tragic, turns in the post-Snowden era, the National Security Agency (NSA) has published a report with advice for companies on how to deal with malware attacks. FierceITSecurity says the report (PDF) boils down to “prevent, detect and contain.” To be more specific, the report recommends that IT security pros:

  • Segregate networksSegregate networks so that an attacker who breaches one section is blocked from accessing more sensitive areas of the network;
  • Protect and restrict administrative privileges, in particular high-level administrator accounts, so that the attacker cannot get control over the entire network;
  • Deploy, configure, and monitor application whitelisting to prevent malware from executing;
  • Restrict workstation-to-workstation communication to reduce the attack surface for attackers;
  • Deploy strong network boundary defenses such as perimeter and application firewalls, forward proxies, sandboxing and dynamic analysis filters (PDF) to catch the malware before it breaches the network;
  • Network monitringMaintain and monitor centralized host and network logging product after ensuring that all devices are logging enabled and their logs are collected to detect malicious activity and contain it as soon as possible;
  • Implement pass-the-hash mitigation to cut credential theft and reuse;
  • Deploy Microsoft (MSFT) Enhanced Mitigation Experience Toolkit (EMET) or other anti-exploitation capability for devices running non-Windows operating systems;
  • Employ anti-virus file reputation services (PDF) to catch known malware sooner than normal anti-virus software;
  • Implement host intrusion prevent systems to detect and prevent attack behaviors; and
  • Update and patch software in a timely manner so known vulnerabilities cannot be exploited.

The author quotes from the report;

I Luv your PCOnce a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network … While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization’s network.

rb-

For those who have not been following along, the TLA’s have been attacking and manipulating anti-virus software from Kasperskey.

SpyingWe also now know suspect that the TLA’s have compromised at least one and probably two hardware vendors. The Business Insider recalls, way back in 2013, as part of the Edward Snowden NSA spying revelations.German publication Spiegel wrote an article alleging that the NSA had done a similar thing — put code on Juniper Networks (JNPR) security products to enable the NSA to spy on users of the equipment. 

Over at Fortinet (FTNT) they had their own backdoor management console access issue that appeared in its FortiOS firewalls, FortiSwitch, FortiAnalyzer and FortiCache devices. These devices shipped with a secret hardcoded SSH logins with a secret passphrase.

The article seems like advertising for the TLA’s hacking program.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| December 12, 2013
Comments Off on Is Your Data Safe From Gen Y?

Is Your Data Safe From Gen Y?

Is Your Data Safe From Gen Y?Fortinet (FTNT) released a new study that says that most Gen Y staff members are thwarting their employers’ Bring Your Own Device programs. Fortinet surveyed 3,200 employees between the ages of 21 and 32 on their attitudes and practices around BYOD and found that 51 percent of respondents said they would ignore formal BYOD policies at their organization.  “It’s worrying to see policy contravention so high …” Fortinet VP of Marketing John Maddison said in the study report.

Gen Y staff

Gen YThe same Fortinet survey revealed that 55 percent said they have been the victims of cyberattacks on their desktops or laptops. The respondents noted that those attacks had affected their productivity and potentially cost them corporate or personal data.

FierceCIO provides another example of staff’s cavalier attitude towards data security from Symantec. According to the Mountain View, CA-based Symantec (SYMC) when it comes to corporate data, employees who feel like they live in a “finder’s keepers” environment, Robert Hamilton, Symantec director of information risk management said. The firm surveyed workers in the U.S. about taking corporate data outside of the workplace if they would use company information in another job and their views on whether that constituted stealing. FierceCIO reports the results of the survey, were not encouraging to IT security professionals and IT management.

Finder’s keepers

  • Data theft40% of employees download work files to personal devices,
  • 40% of employees plan to use old company information in a new job role,
  • 56% of employees do not believe it is a crime to use a competitor’s trade secrets,
  • 68% of employees say their company doesn’t take proper steps to protect sensitive information.

Mr. Hamilton summarized, “The attitude is that ownership lies with the person that created it, not with the company that employs them.” He says companies need to do a better job of safeguarding data from employees, especially with the growing popularity of BYOD. Symantec noted,

Only 38 percent of employees say their managers view data protection as a business priority, and 51 percent think it is acceptable to take corporate data because their company does not strictly enforce policies

File sharingA survey by mobile file-sharing app provider Workshare provides more evidence of how employees flaunt IT policies by using free file-sharing services to store and share corporate documents from their mobile devices. FierceMobileIT reports that the firm’s survey revealed that 81% of employees access work documents from their mobile devices. A disturbing 72% of workers are using free file-sharing services without authorization from their IT departments.

Fiberlink recently conducted a survey of its customers about what apps they are blacklisting and whitelisting. DropBox appeared at the top of the blacklisted apps lists for both Android and iOS devices. Commenting on the results, Fiberlink CEO Christopher Clark told FierceMobileIT: “I think there are other ways besides DropBox or Box to do apps and content management.”

personal USB devicesWork documents on personal devices

Another survey, conducted by Ipsos MORI for Huddle found that 91% of U.S. office workers store work documents on personal devices, such as USB drives, and 38% store documents on consumer file-sharing services.

FierceMobileIT reports that Dropbox is the most used consumer file-sharing service for work document storage and sharing.

Patrice Perche, Fortinet’s senior Fred Donovan VP for international sales and support, said in the report:

This year’s research reveals the issues faced by organizations when attempting to enforce policies around BYOD, cloud application usage, and soon the adoption of new connected technologies. The study highlights the greater challenge IT managers face when it comes to knowing where corporate data resides and how it is being accessed.

FierceMobileIT’s Fred Donovan warns that enterprises need to educate their employees to combat the security risks of using consumer file-sharing services. He also says that employers need to offer enterprise-sanctioned file-sharing alternatives. Otherwise, employees will continue to bypass IT policies and put corporate data at risk. Symantec’s Hamilton told FierceCIO that firms need to undergo a cultural shift if they are going to win the battle of protecting their assets from their own staff.

rb-
Sharon Nelson at Ride the Lighting sums up my thoughts on the BYOD thing.

I have never understood the arrogance of this attitude or the failure to appreciate that employers have a duty to impose rules to protect client/customer/proprietary data./proprietary data.

It is common for each succeeding generation to despair of the generation that follows it, but I confess to a certain amount of despair for a generation that is so tied to their mobile devices that they cannot balance their desire to use their devices with the duty owed to the employer to keep work data secure. In a world where young folks cannot seem to keep from checking their phones at weddings and funerals, I guess it is no wonder that they see nothing wrong with willfully disobeying rules imposed at work.

What do you think? Is your data safe from Gen Y staff?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| June 25, 2011
Comments Off on 40 Years of Malware – Part 2

40 Years of Malware – Part 2

40 Years of Malware - Part 22011 marks the 40th anniversary of the computer virus. Help Net Security notes that over the last four decades, malware instances have grown from 1,300 in 1990, to 50,000 in 2000, to over 200 million in 2010. Fortinet (FTNT) marks this dubious milestone with an article that counts down some of the malware evolution low-lights.

The Sunnyvale, CA network security firm says that viruses evolved from academic proof of concepts to geek pranks which have evolved into cybercriminal tools. By 2005, monetization of the virus scene was underway and almost all viruses developed for the sole purpose of making money via more or less complex business models. According to FortiGuard Labs, the most significant computer viruses over the last 40 years are:

See Part 1 Here – See Part 2 Here  – See Part 3 Here  – See Part 4 Here

1945 – A Bug is Born –  Grace Murray Hopper, a researcher at Harvard, notes a system failure and finds a moth trapped in relay panels.

1949 – Self-replicating programsJohn von Newman a researcher from Hungary published the theoretical base for computers that store information in their “memory”.

1962 – A group of Bell Telephone Labs researchers invents a game that destroys software programs.

1971 – The Creeper Virus appears on ARPANET, the forerunner of the Internet. It replicates itself and displays a message: “I’m the Creeper: Catch Me if You Can.”

1974 – The Wabbit – was a self-replicating program, that made multiple copies of itself on a computer until it bogs down the system to such an extent that system performance is reduced to zero and the computer eventually crashes. This virus was named wabbit because of the speed at which it was able to replicate.

Apple IIe1981 – Elk Cloner – the first widespread virus on the Apple (AAPL) II platform, spreads by the floppy disk and infects boot sectors, generating messages and impairing performance.

1983 –  The term “computer virus” comes into vogue after Professor Len Adleman at Lehigh University demonstrates the concept at a seminar.

1986 – The Brain is the first global epidemic on the PC platform and shows businesses and consumers are clueless about protection.

1987 – Jerusalem virus – On any Black Friday (Friday the 13th), it would delete any programs that were run, instead of infecting them, so it simply couldn’t be ignored,” Roger Thompson told News.com, Australia. “You couldn’t throw away your hard drive, and reformatting it didn’t remove the virus,” the chief research officer for AVG said.

BSD Daemon1988 – The Morris worm – created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet and becomes the first worm to spread extensively “in the wild”, and one of the first well-known programs exploiting buffer overrun vulnerabilities.

1990 – Chameleon– the first documented polymorphic virus, malware that adapts and changes to avoid detection.

1992 – Michelangelo – was expected to create a digital apocalypse on March 6, with millions of computers having their information wiped according to mass media hysteria surrounding the virus.  Later assessments of the damage showed the aftermath to be minimal.

1995 –  Concept – the first Macro virus attacked Microsoft (MSFT) Word documents.

1996 – Laroux – the first Microsoft (MSFT) Excel virus, appears in the wild.

1999 – The Happy99 worm – invisibly attached itself to emails and would display fireworks to hide the changes being made then wished the user a happy New Year. It modified system files related to Microsoft (MSFT) Outlook Express and Internet Explorer (IE) on Windows 95 and Windows 98.

1999 – The Melissa worm targeted Microsoft (MSFT) Word and Outlook-based systems, and created considerable network traffic.

rb-

Back in the day, I had to deal with both Happy99 and Melissa, as well as the occasional Stoned. Melissa was the easiest to deal with since I was running a GroupWise shop at the time, once the news spread, we just pulled the Cat5 from the GWIA and we saw minimal blowback. Let’s hear it for technological diversity.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,