Hacking groups have been found to use outdated VPN software and specific exploits found in them to spy on the victims. This is according to several reports from government security agencies. This is particularly dangerous as the criminal collectives can use this against state networks or companies.
Vulnerable VPN Software Used To Spy On Users
Computer hackers are exploiting VPN software in order to take over control of the networks that are owned by high-profile companies and government targets. The news comes out of the NCSC (National Cyber Security Centre) of the United Kingdom which has reported on the issue. They have detected several instances where hacking groups are actively exploiting popular products including ones from well-known vendors such as Pulse Secure, Palo Alto and Fortinet. The criminals appear to currently target both international organizations and specific networks that are found in the United Kingdom. The NCSC lists that the sectors in which they operate range across military, academic, healthcare and business industries to government networks.
The issues that are targeted are mainly publicly-available information about exploits. The criminals use the gained knowledge to overcome the protection of the software and break the authentication mechanism. Once the hackers are in they will be able to connect to the VPN client, modify the user settings or redirect the traffic to servers controlled by the criminals.
The Widely Used Exploits VPN Software
The security researchers have revealed some of the most widely used exploits that are being used by the attackers to break the networks. The most common way this is done is to load the appropriate exploit in an automated hacking toolkit and customize it accordingly.
For Pulse Connect Secure:
- CVE-2019-11510 — This is a faulty arbitrary file reading which is done before the authentication procedure is started. It can be detected by searching the log files for URLs that contain the “?” string and ending with the following: /dana/html5acc/guacamole/ (Regular Expression: \?.*dana/html5acc/guacamole/. This may indicate that an attack has been made.
- CVE-2019-11539 — This is a command injection bug. Security administrators can check if they have been affected by searching for requests to the following file /dana-admin/diag/diag.cgi with an options= parameter in the URL. Exploits will almost certainly contain the following arguments: -r, # or 2>.
The solutions that are offered by Fortinet have been found vulnerable to the following exploits:
- CVE-2018-13379 — This is file reading of files which is done before the authentication process.
- CVE-2018-13382 — This allows hackers who have not passed authentication to change the credentials of VPN web portal users.
- CVE-2018-13383 — This is a heap overflow bug. When exploited it allows the hackers to access the command prompt of the victim systems.
Finally the VPN product offered by Palo Alto has been found to fall victim to CVE-2019-1579 which is an issue in the Global Protect Portal.
Computer administrators are urged to protect their networks by applying the latest updates to their VPN installations. This will protect the software from becoming affected by the weaknesses. However to better protect themselves they can also take other measures as well. This includes the reconfiguration of the local clients. System administrators may need to go over the SSH authorization keys and the iptables rules to check if there are any possibilities to hijack the systems. It would be wise to go over the log files and monitor for any suspicious activity and block the IP addresses of intruders. In some situations it may be useful to wipe the memory and factory reset the devices. A good advice is also to enable two-factor authentication and disable all unnecessary services.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: