Tag Archive for Palo Alto Networks

| August 31, 2019
Comments Off on Are Your VPNs – Virtual Pwnd Networks

Are Your VPNs – Virtual Pwnd Networks

Updated October 21, 2019 – The U.S. and U.K. spy agencies have issued separate cybersecurity advisories on 10/21/2019 urging users to patch and mitigate the VPN holes discussed below. The NSA advisory (PDF) warns that “multiple nation-states advanced persistent threat (APT) actors have weaponized” the flaws. The U.K.’s National Cyber Security Centre (NCSC) advisory is here.

Updated September 29, 2019 – SafeBreach Labs discovered a vulnerability in Forcepoint’s VPN client software. The flaw will give attackers unfettered access to its users’ Windows computers.

In its article detailing the bug, Forcepoint explained The flaw enables an attacker to insert their own executable which will run with administrative privileges, giving the attackers administrative access to the system. Forcepoint gave the bug a CVE number of 2019-6145 and a base severity score of 6.7. According to a  Forcepoint knowledge base article, the flaw is patched in version 6.6.1 of the Forcepoint VPN Client for Windows.

Updated September 10, 2019 –  ZDNet is reporting that the Chinese state-sponsored hacker group APT5 is targeting enterprise VPN servers from Fortinet and Pulse Secure since the security flaws discussed below became public knowledge last month. FireEye reports (PDF) that APT5 has been active since 2007 and has targeted multiple industries.

APT5 was reportedly one of the first to start scanning the internet and then later attempt to exploit vulnerabilities in the Fortinet and Pulse Secure VPN servers. The attackers sought to steal files storing password information or VPN session data from the affected products. These files would have allowed attackers to take over vulnerable devices.

Are Your VPNs - Virtual Pwnd NetworksEverybody loves their virtual private networks. SSL VPNs provide a convenient way for business users to connect to corporate networks while out of the office. A recent study by FlexJobs found 30% of workers have left a job because it did not offer flexible work options like remote work. Further, the report said, that 80% of staff would be more loyal to their employers if they had flexible work options and 52% of workers have tried to negotiate flexible work arrangements with their employer.

Great firewall of ChinaHackers love VPNs too

Last month VPNpro found that the majority of VPN services have close ties to China. CSO Online points out that if you are running a VPN that is developed and owned in China, then there is a serious chance that your information is not as private as you think. Every technology company that operates within China, including ISPs, are required to comply with any Chinese governmental request for data. That includes your data. The Chinese government has a long and well-documented history of hacking, favoring, and helping local businesses at the expense of foreign companies.

VPNpro also found that some Chinese firms own different VPNs split among different subsidiaries. For example, the Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove, and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows.

VPN attacksChina is not the only concern

VPNpro also found that seven of the top VPN services are owned by Gaditek, based in Pakistan. This means the Pakistani government can legally access any data without a warrant and data can also be freely handed over to foreign institutions, according to VPNpro.

VPNpro identified a further four companies: Super VPN & Free Proxy, Giga Studios, Sarah Hawken, and Fifa VPN, which together own 10 VPN services – where the parent company, and therefore the company of origin, is completely hidden.

If that is not scary enough – There are new reports that attackers are now targeting the devices used to attach VPNs to the network. Help Net Security reports that attackers are exploiting known flaws in Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations.

Flaws VPN installations

These attacks could allow attackers to steal passwords and gain full, remote access to an organization’s networks. Attackers have been targeting two vulnerabilities:

  • CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure
  • CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal.

Researchers Meh Chang and Orange Tsai at Taipei City, Taiwan-based consultancy Devcore reported the flaws to Fortinet on Dec. 11, 2018, and to Pulse Secure on March 22, 2019.

In an August 9, 2019 blog post the Devcore researchers recapped their Black Hat 2019 demonstration. Tsai told TechCrunch in an email, “The SSL VPN is the most convenient way to connect to corporate networks … it’s also the shortest path to compromise their intranet.

Pulse Secure VPNs

Pulse Secure logoPrivately held California-based Pulse Secure released an update on April 24, 2019, to address these flaws and urged customers to upgrade all affected products “as soon as possible.” The vendor warned that aside from patching, no workaround would protect systems, “Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).

Cyber threat intelligence firm Bad Packets has warned about activity aimed at vulnerable Pulse Connect Secure endpoints. So far they have found nearly 15,000 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 across all sectors of the U.S. This includes:

  • U.S. military networks,
  • Hospitals,
  • Electric utilities,
  • Financial institutions, and
  • Fortune 500 companies.

Fortinet VPNs

Fortinet logo

Fortinet (FTNT) released a security advisory on May 24, 2019, to address these flaws and urged customers to update their firmware to safeguard themselves. In a blog post, the Devcore researchers wrote about the flaws they’d found in Fortinet devices, “In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.”

Independent British security researcher Kevin Beaumont told BankInfoSecurity he was tracking attacks against Fortigate servers. Beaumont reported seeing “the Fortigate SSL VPN backdoor being used in the wild” against one of his honeypots.

ZDNet claims the number of vulnerable FortiGate VPNs is believed to be in the hundreds of thousands, although we don’t have an exact stat about the number of unpatched systems that are still vulnerable to attacks.

rb-

This isn’t the first time that serious flaws have been found and patched in enterprise-grade networking gear. In 2016 researchers found a vulnerability in Fortinet’s FortiGate OS – that functioned as an SSH backdoor and researchers found an authentication bypass flaw in Juniper Networks (JNPR) ScreenOS firmware.

Patch your systemsIn April 2019, U.S. Homeland Security issued a warning about vulnerabilities in many major corporate VPN applications. The VPN apps from — Cisco (CSCO), Palo Alto Networks (PANW), Pulse Secure, and F5 Networks (FFIV)— improperly store authentication tokens and session cookies on a user’s computer.

Obviously, there is no time to waste: firms should update their vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations as soon as possible.

Security researcher Kevin Beaumont told BankInfoSecurity:

Lots of companies have the basics around patching Windows and Linux down, as they have vulnerability management platforms and agents … Those don’t extend to FortiOS and Pulse Secure. So they just don’t patch as they never see [vulnerabilities].

Maybe firms should get their VPN devices on a regular update schedule before they become Virtual Pwnd Networks.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| October 25, 2016
Comments Off on Linux Turns 25

Linux Turns 25

Linux Turns 25Linus Torvalds released the first Linux operating system kernel on Oct. 5, 1991. On Oct. 6, 1991, Torvalds began arguing with volunteer developers who would go on to make Linux an open-source powerhouse and eventually a household name. Today the Linux community is upwards of 86 million users strong.

Linux Turns 25As part of celebrations to mark Linux’s 25th birthday the Linux Foundation has published its annual Linux Kernel Development Report (PDF reg required). According to the Register, the report concludes that Linux is in great shape, “There may be no other examples of such a large, common resource being supported by such a large group of independent actors in such a collaborative way.”

The independent actors have a lot to collaborate on. The report notes that the first versions of the Linux kernel comprised about 10,000 lines of code. Now it’s nearing 22 million and growing at a rate of 4,600 lines a day.

Wall StreetWhile Linux may have started out as a hobby OS, that changed in the early 2000s. At the turn of the century, Wall Street banks demanded Linux support for their enterprise application servers says Tech News World.

“That was a moment that broke down resistance to Linux in the big IT vendors like BEA, IBM, and Oracle (ORCL). That hole in the dam was the start of a flood,” said Cloud Foundry CEO Sam Ramji. “Today Linux is the home of operating system innovation.

Linux user and open source advocateAporeto Virtualization Expert Stefano Stabellini, who has been a Linux user and open source advocate since the 1990s explained the transition. “… back when I started with Linux in the ’90s … [companies] did not understand it. They thought that open source was unsustainable, and Linux was niche and hobbyist.” He says that now everything has changed. Every company has an open source strategy now. “Microsoft (MSFT) was the biggest foe and now is a strong ally. Linux is the most widely adopted operating system of all times.

Dice points out that the most active contributors to the growth of Linux have included (in descending order) Intel (INTC), Red Hat, Linaro, Samsung (005930), SUSE, IBM (IBM), and various corporate consultants. Google (GOOG), AMD (AMD), and Texas Instruments (TXN) also ranked in the top 15.

rb-

So my first pass at Linux was Red Hat Linux 5.0. when Novell bought into Linux. Yeap I was a Novell CNE 5 way back in the day.

The last couple of projects I have been involved with have used Linux and not Windows, CMS, IVR, PAFW’s, and storage.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| May 8, 2012
Comments Off on Unknown Malware Rampant in Enterprise Networks

Unknown Malware Rampant in Enterprise Networks

Unknown Malware Rampant in Enterprise NetworksUnknown malware plague enterprise networks according to network security company Palo Alto Networks. Help Net Security reports that Palo Alto Networks found hundreds of unique, previously unknown malware samples on live networks. Palo Alto Networks conducted the research with their new WildFire malware analysis engine.

DarkReading says that the cloud-based WildFire analysis engine found that seven percent of all unknown files analyzed contained malware. WildFire is a new service recently announced by Palo Alto Networks that integrates in-line firewalling with automated cloud-based malware analysis. Over a three-month period of analyzing unknown files from the Internet entering enterprise networks,the firm discovered more than 700 unique malware samples, 57 percent of which had no coverage by any antivirus service or were unknown by Virus Total at the time of discovery. Out of all the new malware identified, 15 percent also generated malicious or unknown outbound command and control traffic.

The firewalls identify unknown and potentially malicious files by executing them in a virtual cloud-based environment to expose malicious behavior even if the malware has never been seen in the wild before. Wade Williamson, Senior Security Analyst at Palo Alto Networks says, “WildFire is taking sandbox technology out of the lab and applying it to a real product … customers can detect and protect themselves against malware using the hardware that they already have deployed today.”

automatically generates new signaturesFor malicious files, Palo Alto Networks automatically generates new signatures for both the file itself and for any traffic generated by the malicious file. These signatures are then distributed with regular signature updates, as well as providing the user with actionable analysis of exactly how the malware behaves, who was targeted, and what application delivered the threat.

“I think we were all a bit surprised by the volume and frequency with which we were finding unknown malware in live networks,” the Senior Security Analyst said. “Unknown malware often represents the leading edge of an organized attack, so this data really underscores the importance of getting new anti-malware technologies out of the lab and into the hands of IT teams who are on the front lines. The ability to detect, remediate and investigate unknown malware needs to become a practical part of a threat prevention strategy in the same way that IPS and URL filtering are used today.

MalwarePalo Alto Networks found that a variety of web applications distributed zero-day malware, in addition to the traditional HTTP web-browsing and email traffic commonly associated with malware distribution. WildFire was able to identify specific phishing campaigns based on their affinity for particular applications. One attacker used AOL Mail and another used the Hotfile file hosting service as the delivery vector.

It’s important to note this because many enterprises only inspect email or FTP traffic for malware but do not have the ability to scan other applications. Applications that tunnel within HTTP or other protocols can carry malware that will be invisible to a traditional anti-malware solution,” said Williamson. “These are examples of the big reasons why a lot of malware gets missed – most enterprises only focus on scanning their corporate email application. To control this problem we need to expand our view to other applications, pull the traffic apart, and go a level deeper in to find out if there’s a file transfer happening.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| October 18, 2011
One comment

Staff End Runs Security

When I am reclining in my Bach Seat, contemplating sharing tech services, my mind wanders to the consumerization of IT. The iPads have made an official beachhead and Skype has made it inside the perimeter. So I should not feel alone being concerned about security according to recent reports from Trend Micro and Cisco (CSCO).

employees bypass security roadblocks to engage in social networkingHelp Net Security reports that despite more workplaces regulating social networking site access, employees bypass security roadblocks to engage in social networking. The research by Trend Micro says that employees are finding ways around security roadblocks, making social networking a way of office life around the world. Trend Micro’s 2010 corporate end-user survey, found that globally, social networking at the workplace steadily rose from 19 percent in 2008 to 24 percent in 2010.

The survey also found that laptop users are much more likely than desktop users to visit social networking sites. Globally, social networking usage via laptops went up by 8 percent from 2008 to 2010. In the U.S., it increased by 10 percent In 2010, 29 percent of laptop users versus 18 percent of desktop users surveyed said they frequented these sites at work.

social networking is one of their organization's three greatest security risksThe survey also found that laptop users who can connect to the Internet outside of the company network are more likely to share confidential information via instant messenger, Webmail, and social media applications than those who are always connected to a company’s network.

A 2010 Cisco survey, which looked at the security impact of personal gadgets and social networking in the workplace, found that employees are consistently (Cisco’s words) finding ways around security policies. 68 percent of those surveyed by Cisco said that employees use unsupported social networking applications. Heavy use of unsupported collaboration, P2P, and cloud applications were also reported. More than half said social networking is one of their organization’s three greatest security risks. More than a third reported that their company lost data or experienced a breach because of employees using unsupported devices.

rb-

So why is Facebook such a problem for enterprises? For one, it is a huge time waster. Datacenter Knowledge reports that Facebook users spend a total of more than 16 billion minutes on social networking site Facebook per day. Facebook VP of Technical Operations Jonathan Heiliger stated that 3 billion photos are uploaded to Facebook each month and users view more than 1 million photos every second during a presentation at the Velocity 2010 conference

The more popular the social network, the more effective social networks become as malware distribution platforms. KOOBFACE, the “largest Web 2.0 botnet,” controls and commands compromised machines globally. This demonstrates the scale of the threat and emphasizes the need to educate users and implement strong policies.

Trend Micro says that trying to just prevent users from accessing social networks from work could potentially increase the risk to an organization as users look for ways around computer security possibly increasing the chance of exposure to security threats. The lesson, in Cisco’s view, is that you better find the technologies–and resources–to support personal devices and applications because they will be used regardless. “The best strategic approach is to focus less on restricting usage and more on effective solutions to ensure highly secure, responsible use,” said Fred Kost, Cisco’s director of security solutions.

Call me old-school but it seems that employees have always learned to work within reasonable company boundaries. Another option for those organizations that need web 2.0 in the organization should take a look at Palo Alto Networks who have developed a firewall that can block the wasteful parts of social media and leave some parts of the web 2.0 app accessible.

Consumer technologies evolve faster than the IT department budget, and it could be a constant game of catch-up trying to accommodate the latest rogue gadgets and widgets. Ultimately, rogue IT use is not so much a failure of technology, but a failure of policy and policy enforcement.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,