Intelligence agencies in the United States and United Kingdom have issued a warning to customers using VPN services provided by Palo Alto Networks, Fortinet, and Pulse Secure. Specifically, the agencies say users should update their services to avoid attacks from state-sponsored advanced persistent threat (APT) groups.
Those groups are exploiting vulnerabilities in outdated versions of VPN services provided by the companies. By exploiting the flaw, the APT's can conduct attacks around the world.
According to a National Security Agency (NSA) Cybersecurity Advisory, APT groups have already created weaponized exploits around three flaws: CVE-2019-11539, CVE-2019-11510 and CVE-2018-13379.
With the exploit, bad actors can gain access to devices using the outdates VPNs.
In the United Kingdom, the National Cyber Security Centre also issued a warning (separately from the NSA). According to the advisory, the flaws allow “an attacker to retrieve arbitrary files, including those containing authentication credentials.”
Bad actors can exploit the vulnerabilities to steal VPN user's credentials and make adjustments to configurations. Once connected an attacks would be able to have control over a machine and introduce more exploits into the network.
As well as the NSA-detailed vulnerabilities, the UK advisory points to two more Fortinet flaws, CVE-2018-13382 and CVE-2018-13383, alongside another Palo Alto Networks problem, CVE-2019-1579:
“This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable.”
Mitigation
Both agencies say there are steps users can take to avoid the flaws. First is to simply update the VPN services with the latest patches and security features. Furthermore, because the groups are targeting credentials, users are advised to update theirs. NSA also recommends removing any current VPN server keys and creating new ones.
