Updated October 21, 2019 – The U.S. and U.K. spy agencies have issued separate cybersecurity advisories on 10/21/2019 urging users to patch and mitigate the VPN holes discussed below. The NSA advisory (PDF) warns that “multiple nation-states advanced persistent threat (APT) actors have weaponized” the flaws. The U.K.’s National Cyber Security Centre (NCSC) advisory is here.
—
Updated September 29, 2019 – SafeBreach Labs discovered a vulnerability in Forcepoint’s VPN client software. The flaw will give attackers unfettered access to its users’ Windows computers.
In its article detailing the bug, Forcepoint explained The flaw enables an attacker to insert their own executable which will run with administrative privileges, giving the attackers administrative access to the system. Forcepoint gave the bug a CVE number of 2019-6145 and a base severity score of 6.7. According to a Forcepoint knowledge base article, the flaw is patched in version 6.6.1 of the Forcepoint VPN Client for Windows.
—
Updated September 10, 2019 – ZDNet is reporting that the Chinese state-sponsored hacker group APT5 is targeting enterprise VPN servers from Fortinet and Pulse Secure since the security flaws discussed below became public knowledge last month. FireEye reports (PDF) that APT5 has been active since 2007 and has targeted multiple industries.
APT5 was reportedly one of the first to start scanning the internet and then later attempt to exploit vulnerabilities in the Fortinet and Pulse Secure VPN servers. The attackers sought to steal files storing password information or VPN session data from the affected products. These files would have allowed attackers to take over vulnerable devices.
—
Everybody loves their virtual private networks. SSL VPNs provide a convenient way for business users to connect to corporate networks while out of the office. A recent study by FlexJobs found 30% of workers have left a job because it did not offer flexible work options like remote work. Further, the report said, that 80% of staff would be more loyal to their employers if they had flexible work options and 52% of workers have tried to negotiate flexible work arrangements with their employer.
Hackers love VPNs too
Last month VPNpro found that the majority of VPN services have close ties to China. CSO Online points out that if you are running a VPN that is developed and owned in China, then there is a serious chance that your information is not as private as you think. Every technology company that operates within China, including ISPs, are required to comply with any Chinese governmental request for data. That includes your data. The Chinese government has a long and well-documented history of hacking, favoring, and helping local businesses at the expense of foreign companies.
VPNpro also found that some Chinese firms own different VPNs split among different subsidiaries. For example, the Chinese company Innovative Connecting owns three separate businesses that produce VPN apps: Autumn Breeze 2018, Lemon Cove, and All Connected. In total, Innovative Connecting produces 10 seemingly unconnected VPN products, the study shows.
China is not the only concern
VPNpro also found that seven of the top VPN services are owned by Gaditek, based in Pakistan. This means the Pakistani government can legally access any data without a warrant and data can also be freely handed over to foreign institutions, according to VPNpro.
VPNpro identified a further four companies: Super VPN & Free Proxy, Giga Studios, Sarah Hawken, and Fifa VPN, which together own 10 VPN services – where the parent company, and therefore the company of origin, is completely hidden.
If that is not scary enough – There are new reports that attackers are now targeting the devices used to attach VPNs to the network. Help Net Security reports that attackers are exploiting known flaws in Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations.
Flaws VPN installations
These attacks could allow attackers to steal passwords and gain full, remote access to an organization’s networks. Attackers have been targeting two vulnerabilities:
- CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure
- CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal.
Researchers Meh Chang and Orange Tsai at Taipei City, Taiwan-based consultancy Devcore reported the flaws to Fortinet on Dec. 11, 2018, and to Pulse Secure on March 22, 2019.
In an August 9, 2019 blog post the Devcore researchers recapped their Black Hat 2019 demonstration. Tsai told TechCrunch in an email, “The SSL VPN is the most convenient way to connect to corporate networks … it’s also the shortest path to compromise their intranet.”
Pulse Secure VPNs
Privately held California-based Pulse Secure released an update on April 24, 2019, to address these flaws and urged customers to upgrade all affected products “as soon as possible.” The vendor warned that aside from patching, no workaround would protect systems, “Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS).”
Cyber threat intelligence firm Bad Packets has warned about activity aimed at vulnerable Pulse Connect Secure endpoints. So far they have found nearly 15,000 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510 across all sectors of the U.S. This includes:
- U.S. military networks,
- Hospitals,
- Electric utilities,
- Financial institutions, and
- Fortune 500 companies.
Fortinet VPNs
Fortinet (FTNT) released a security advisory on May 24, 2019, to address these flaws and urged customers to update their firmware to safeguard themselves. In a blog post, the Devcore researchers wrote about the flaws they’d found in Fortinet devices, “In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.”
Independent British security researcher Kevin Beaumont told BankInfoSecurity he was tracking attacks against Fortigate servers. Beaumont reported seeing “the Fortigate SSL VPN backdoor being used in the wild” against one of his honeypots.
ZDNet claims the number of vulnerable FortiGate VPNs is believed to be in the hundreds of thousands, although we don’t have an exact stat about the number of unpatched systems that are still vulnerable to attacks.
rb-
This isn’t the first time that serious flaws have been found and patched in enterprise-grade networking gear. In 2016 researchers found a vulnerability in Fortinet’s FortiGate OS – that functioned as an SSH backdoor and researchers found an authentication bypass flaw in Juniper Networks (JNPR) ScreenOS firmware.
In April 2019, U.S. Homeland Security issued a warning about vulnerabilities in many major corporate VPN applications. The VPN apps from — Cisco (CSCO), Palo Alto Networks (PANW), Pulse Secure, and F5 Networks (FFIV)— improperly store authentication tokens and session cookies on a user’s computer.
Obviously, there is no time to waste: firms should update their vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations as soon as possible.
Security researcher Kevin Beaumont told BankInfoSecurity:
Lots of companies have the basics around patching Windows and Linux down, as they have vulnerability management platforms and agents … Those don’t extend to FortiOS and Pulse Secure. So they just don’t patch as they never see [vulnerabilities].
Maybe firms should get their VPN devices on a regular update schedule before they become Virtual Pwnd Networks.
Related Posts
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Today is Data Privacy Day. Data Privacy Day commemorates the first legally binding international treaty dealing with privacy and data protection, signed on January 28, 1981. It is observed annually in Canada, the U.S. and Europe. In North America, Data Privacy Day campaign is officially led by the National Cyber Security Alliance (NCSA). 
The more information you share about yourself (as well as your friends and family), the greater the risk of exposure to online threats such as identity theft, cyber-stalking and cyber-bullying. Here are some simple tips on how to protect your online information, identity and privacy on Data Privacy Day 2022.
Big tech loves your data. This data privacy day, take steps to protect Information about you, such as the games you like to play, your contacts list, where you shop and your location. It all has value to Facebook. Treat your info – just like money. Be thoughtful about who gets that information and how it’s collected through apps. Tips to protect yourself from Facebook.
Your mobile devices need regular updates just like your PC or laptop. This data privacy day, install the most up-to-date security software, web browser, operating system and apps. This is the best way to protect you privacy. Patching all your devices is the best defense against viruses, malware and other online threats.
Imagine my surprise when I got a notification this morning (10/30/2020) at 11:42AM (local time) – Your site has been updated to WordPress 5.5.3-alpha-49449. has been updated automatically to WordPress 5.5.3-alpha-49449. No further action is needed on your part. 
IT departments organizations are busy keeping up with XP replacements, Cloud migrations, BYOD implementations and now Microsoft has reminded everybody that there are other fires burning on the horizon. 
