According to the UK’s National Cyber Security Centre (NCSC), advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.
This week the NCSC issued an alert to warn organizations using the vulnerable products.
“The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse secure, Palo Alto and Fortinet.” reads the alert issued by the NCSC.
“This activity is ongoing, targeting both UK and international
The CVE-2018-13379 is a path traversal vulnerability in the
The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.
APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.
The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents.
“Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that
“Apart from specific product advice below, administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.
Snort rules are available in open source, but may not pick up events for exploits over HTTPS.”
(SecurityAffairs – vBulletin, data breach)