NSA issues advisory: malicious cyber actors leveraging VPN vulnerabilities

The National Security Agency issued an alert on October 7 that multiple Advanced Persistent Threat (APT) actors are currently exploiting various VPN vulnerabilities to gain access to unprotected networks. Malicious cyber actors often use newly released software patches to develop exploits and access networks which have not yet upgraded with vendor released patches. Multiple VPN vulnerabilities have been published over the last six months affecting several major VPN products. Upgrade your VPN products to the latest vendor released versions to protect your networks from these attacks.

Known vulnerabilities include Pulse Secure, Palo Alto GlobalProtect, and Fortinet Fortigate VPN products. If you suspect you may have been compromised:

  • Immediately upgrade your VPN to the latest version;
  • Reset credentials before reconnecting the upgraded devices to an external ntework; 
  • Review your network accounts to ensure adversaries did not create new accounts;
  • Update VPN user, administrator, and service account credentials;
  • Revoke and create new VPN server keys and certificates.

VPN CVEs being currently exploited include but may not be limited to:

  • CVE-2019-11510 and CVE-2019-1153 which allow for remote arbitrary file downloads and remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways;
  • CVE-2018-13379 which allows specially crafted HTTP requests to download system files on Fortinet Fortigate devices;
  • CVE-2019-1579 which allows remote code execution against Palo Alto GlobalProtect VPNs.

NSA strongly encourages system owners to upgrade their applicable VPN products to the latest versions, and review all account activity for anomalous use of legitimate credentials that may have been gained from the unpatched VPN. For further mitigation and VPN hardening guidance, please refer to this NSA advisory, the Canadian Centre for Cyber Security’s VPN Alert, the UK National Cyber Security Centre’s Alert and your vendor’s security configuration best practices documents.

Source: NSA