Posted on August 25, 2019 at 5:28 PM
Cybercriminals Are Exploiting Vulnerable Servers of Two Famous VPNs
The assumption is that Virtual Private Networks, or VPNs, are online resources that help users encrypt their data and communications on the Internet to avoid hackers and content snoopers, gaining privacy in the process.
However, the effectiveness of a VPN brand depends on many factors, most notably its infrastructure and policies. According to researchers at the Black Hat security conference held last month in Las Vegas, cybercriminals are performing attacks to steal passwords, encryption keys, and other valuable information from unreliable VPN servers of two famous brands.
These companies, namely Fortigate SSL VPN and Pulse Secure SSL VPN, have several servers that haven’t applied some crucial fixes, a situation that has made both of them extremely vulnerable to hackers stealing the aforementioned information from the servers.
Problems With Unpatched Servers
According to the investigators at the Black Hat meeting, these vulnerabilities can be exploited if the hacker or entity sends unpatched servers Web requests with a particular characters sequence.
The file-reading exploits were found at Fortigate, installed on nearly 500,000 servers, and Pulse Secure, found on 50,000 of them, according to information presented by Devcore Security Consulting specialists and researchers.
The folks at Devcore also unveiled other key exploits associated with both brands. If attackers take advantage of them, they will be able to execute malicious code and modify passwords from a remote location. In the case of Fortigate VPN, it developed patches for this situation in May, whereas Pulse Secure did it in April.
However, several users have reported that once the patches have been installed, they often experienced service disruptions that become an obstacle for them to perform essential operations of a VPN company.
Bad Packets, a security intelligence service, performed Internet scans in recent hours. The results pointed out that Pulse Secure had 2,658 endpoints vulnerable to flaws that are being exploited at the moment. According to the scan, these endpoints belonged to institutions and organizations such as the US military and other federal, state, and local governments agencies. Others are public universities and schools, banks, hospitals, and health care providers. The majority of endpoints are located in the United States.
Over the past two days, cybercriminals have spent much of their time spraying the Internet with code that tries to exploit the situation, according to known independent researcher Kevin Beaumont.
Known Offenders
Beaumont said that he found attacks coming to Fortigate’s way through the 91.121.209.213 IP address, one that has been associated with misconduct in the past. Another address, the 52.56.148.178, was discovered to spray exploits on a Friday scan with the BinaryEdge engine.
Beaumont pointed out that the offenses towards the unpatched Pulse Secure servers are coming from 2.137.127.2, with the exploit code becoming available this week. Independent researcher Troy Mursch, the one behind Bad Packets, explained that he identified attacks coming from 81.40.150.167.
If a mass scan manages to spot a vulnerable or exploitable server, it could exploit a code-execution flaw that the specialists at Devcore unveiled.
Mursch observed that the scans target endpoints that are vulnerable to arbitrary file reading, a situation that leads to the leaking of critical data, most notably users credentials and private keys. They can, subsequently, be used to perpetrate further command injections to access private networks.
Essentially, Mursch used a server to attract the attacker and learn more information about it, and the server he used to detect said attacks also managed to spot the fact that the 2.137.127.2 IP address was targeting the Pulse Secure exploit, as well.
His belief is that either of the IP addresses was being operated by researchers with the intention of investigating on the matter, scanning for unpatched servers. The “honeypot” was provided by BinaryEdge.
The exploits are extremely delicate since they can affect software that is needed to be accessible to the Internet and act as a gateway to enter parts of an entity’s network that are supposed to be private or sensitive.