UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities

The UK’s National Cyber Security Centre (NCSC) warns of attacks exploiting recently disclosed VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure

According to the UK’s National Cyber Security Centre (NCSC), advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

This week the NCSC issued an alert to warn organizations using the vulnerable products.

“The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse secure, Palo Alto and Fortinet.” reads the alert issued by the NCSC.

“This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare,”

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379,

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files. The CVE-2018-13379 flaw could be exploited to obtain administrator credentials in plain text.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents.

“Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release.” concludes the NCSC.

“Apart from specific product advice below, administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.

Snort rules are available in open source, but may not pick up events for exploits over HTTPS.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – vBulletin, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.