Hackers targeting VPN vulnerabilities in ongoing attacks ~
As remote work has increased during the pandemic, threat actors increasingly target known vulnerabilities.
Introduction
Nation-state actors are exploiting known vulnerabilities in several VPN [Virtual Private Network] and other remote access products, indicating a troubling trend for organisations.
Multiple advisories and reports have been published over 2021/Q2 addressing vulnerabilities found in some VPNs, the use of which has sky-rocketed in the rush to remote work during the COVID-19 pandemic. Vendors like FireEye have observed those vulnerabilities being used in the wild, with targets including government and financial organisations. A majority of the malicious activity stems from known vulnerabilities, which have patches and updates available. However, it appears many organisations are not completing patches and updates as some of the same vulnerabilities continually threaten security postures.
The most recent Cybersecurity and Infrastructure Security Agency [CISA] advisory provided new information on last year's massive supply chain attack on the SolarWinds Orion platform. In the advisory CISA said it recently responded to an advanced persistent threat [APT] actor's "long-term compromise of an entity's enterprise network, which began in at least March 2020."
Functional VPN
According to the advisory, [April 2021] the actor connected to the entity's network via a Pulse Secure VPN appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as Supernova and then collected credentials. While there is a CVE available [Code Execution Vulnerability] for the SolarWinds Orion flaw, a CISA spokesperson remarked that there is not one for the Pulse Secure vulnerability mentioned in the advisory.
Vulnerabilities in Pulse Secure VPN appliances have been the focus of several such alerts lately.
For example, a joint advisory in April 2021 by the National Security Agency (NSA), CISA and FBI said the Russian Foreign Intelligence Service actors have frequently used publicly known vulnerabilities in initial attack stages. The ongoing attacks exploit flaws in Fortinet's FortiGate VPN and Pulse Secure's Pulse Connect Secure VPN, as well as VMware's Workspace One Access and Citrix Application Delivery Controller and Gateway, all of which we routinely use in variety of situations to establish digital forensic examinations and conclusions.
According to that advisory, actors use the vulnerabilities to "conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access." Techniques used include exploiting public-facing applications, leveraging external remote services, compromising supply chains, using valid accounts, exploiting software for credentials access and forging web credentials. The targets include national security and government-related systems.
There are five vulnerabilities highlighted in the advisory: CVE-2018-13379, CVE-2019-9670, CVE-2019-11510, CVE-2019-19781 and CVE-2020-4006. Most of the listed vulnerabilities are over two years old with patches available, and previous advisories have urged enterprises to update to avoid exploitation activity.
Just earlier this year, a joint cybersecurity advisory by the FBI and CISA said APTs may be exploiting multiple Fortinet FortiOS vulnerabilities, including the one found in the advisory from 15 April 2021. The critical vulnerability -- CVE-2018-13379 -- was resolved in May 2019 and received a CVSS score of 9.8; if exploited, the flaw allows an authenticated attacker to download system files. The advisory urged organizations to patch and update immediately.
The NSA previously released an advisory on the VMware vulnerability in December of last year, warning of Russian state-sponsored actors using the critical flaw to forge security assertion markup language (SAML) credentials to "send seemingly authentic requests to gain access to protected data." The advisory strongly recommended that the National Security System, Department of Defense and the Defense Industrial Base system administrators apply the vendor-issued patch as soon as possible.
However, it appears that many organisations, governments included, have not completed updates, as threat actors continually take advantage of old vulnerabilities.
These secure remote access products have one commonality that may be causing security to fall through the cracks. Scott Caveza, research engineering manager at Tenable, told SearchSecurity that the significance of these products within an organization may be contributing to slower patch times. "For something critical such as a VPN device, downtime for patching could majorly disrupt productivity," he said.
Caveza referred to SSL VPN devices as "mission-critical software" for which there may be no backup option available. "Patch windows have to be carefully planned and coordinated and a backup plan needs to be in place in case of lost configuration or incompatible patch."
Additionally, Caveza said there are likely many organisations that don't perform routine vulnerability scans or regularly monitor vendor vulnerability disclosures. Those reasons could cause a significant delay from the time a vulnerability is disclosed to the time that an organisation becomes aware of the vulnerability and an accompanying patch.
"While it's impossible to know for sure why these flaws seemingly fall through the cracks, it's very clear that attackers regularly find success targeting well known, unpatched vulnerabilities," he said.
Jake Olcott, vice president of communications and government affairs at risk management vendor BitSight, said there is often a long tail of organisations that do not patch critical vulnerabilities in a timely fashion, regardless of whether the flaws are in Pulse Secure VPNs or the latest Microsoft Exchange Server software.
"While some sectors may have higher rates of vulnerability -- the government sector, for example, had the highest rates of vulnerable Microsoft Servers when we first started tracking the issue -- we observe organizations of all sizes in every sector that struggle to effectively manage their security performance," Olcott said in an email to SearchSecurity.
The reason why these critical vulnerabilities are not being addressed, even after months or years, is difficult to know. Olcott said reasons can include lack of visibility, lack of awareness of the severity of the vulnerability, patchwork security programs, overwhelmed security teams, lack of targeted information sharing and absence of adequate oversight.
Another factor is the high number of assigned CVEs just in the last year -- over 18,000. It is becoming too much for security teams to handle, Caveza said, especially as more and more employees move to remote work, expanding security risks.
Caveza said it's the perfect storm of more and more connected devices, increased interest and activity by threat actors and a shortage of resources and budgets made available for defenders.
"Every week a slew of new vulnerabilities are patched while dozens of new exploits are released and used by attackers. While it's easy to reflect back and say organizations should be patching faster and more regular, the reality is that many IT staff are overwhelmed with the number of devices and patches that need to be applied across an organisation," he said.
While there is no straight answer as to why or how to patch in a timelier manner to avoid exploitation, it is an important policy question.
fintech security forensic and anti-forensic