Enterprise organizations using virtual private network (VPN) products from Fortinet, Palo Alto and Pulse Secure need to check their logs for suspicious activity, the UK’s top cybersecurity agency has warned.
The UK’s National Cyber Security Centre (NCSC) has issued a warning aimed at government agencies and large enterprise over intrusions on VPNs by state-backed hackers.
NCSC, which is part of UK spy agency GCHQ, says the attacks affect organizations in government, military, academic, business and healthcare. Both UK and non-UK organizations are being targeted.
The agency singles out six of the highest impact vulnerabilities that are being exploited, but notes the list is not exhaustive. The flaws were all disclosed in the past year and patches are available.
The exploited bugs include two flaws (CVE-2019-11510 and CVE-2019-11539) affecting the Pulse Connect Secure VPN; three vulnerabilities (CVE-2018-13379, CVE-2018-13382 and CVE-2018-13383) affecting Fortinet products; and a critical remote code execution bug (CVE-2019-1579) in Palo Alto’s GlobalProtect portal and GlobalProtect Gateway interface products.
“Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release,” NCSC states.
NCSC’s warning follows a report by ZDNet in September that a Chinese hacking group known as APT5 were the first to start scanning the internet for the flaws in Fortinet and Pulse Secure VPN servers. The group established infrastructure for attacks on the VPN servers in late August. Two of the flaws, affecting Fortinet and Pulse Secure, were presented at the Black Hat US security conference that month.
The agency is advising admins to begin looking for evidence of compromised accounts being used in odd IP locations or at unusual times.
It has also provided specific instructions for detecting possible exploitation of each vulnerability. In Pulse Connect’s case, NCSC recommends searching for evidence of connections to vulnerable URLs on the device.
For CVE-2019-11510, it recommends searching logs for URLs “containing ? and ending with /dana/html5acc/guacamole/ (Regular Expression: \?.*dana/html5acc/guacamole/ )”
“If any are found dated before the patch was applied, it may indicate a compromise. The matching string will contain the name of the file the attacker attempted to read,” NCSC warns.
Admins will need to check logs all the way back to April 24, when the patch was released. Pulse Secure’s security team said at the time it was “aware of existence of exploit code that can demonstrate these vulnerabilities” and strongly recommended users to upgrade to the patched software as soon as possible.
For CVE-2019-11539, it says: “Search for requests to /dana-admin/diag/diag.cgi with an options= parameter in the URL. An exploit will almost certainly contain: -r, # or 2> [Data between -r and # is perl code that would be executed.]”
Fortigate devices need to have been manually configured to write firewall logs for all connections, so admins using these products might not have logs to access.
“When exploiting CVE-2018-13379, an attacker may download sslvpn_websession, which contains the usernames and passwords of active users. This file is typically at least 200 KB,” NCSC advises for those who have enabled logging.
“Searching firewall, or netflow logs, for TCP sessions with 200,000-250,000 bytes from the SSL VPN device's web interface port to the client, and a small number of bytes (less than 2,000) from the client, may return evidence of exploitation,” it added.
Palo Alto issued a patch on 17 July 2019 for the flaw that’s under attack, however the company didn’t publish an advisory until 24 July.
“It may be difficult to detect past exploitation in logs. But failed exploit attempts may cause a crash, which could be visible in logs,” NCSC says of Palo Alto’s VPN.
The agency is recommending organizations that suspect they have been compromised to reset passwords, check VPN settings, review VPN traffic logs, wipe devices, and importantly implement two-factor authentication for VPN services.