Posted on April 27, 2021 at 6:01 PM

Researchers Say Threat Actors Are Exploiting known VPN Vulnerabilities

Multiple reports published over the weekend showed that some state-backed threat groups are actively exploiting known vulnerabilities in a virtual private network (VPN). The use of VPNs increased exponentially during the COVID-19 lockdown enforced by various governments to keep their citizens safe.

This has coincided with an escalated increase in nation-state attacks exploiting vulnerabilities in these VPNs.

Cybersecurity vendor FireEye recently disclosed that it discovered some hackers exploiting VPN weaknesses and targeting financial and government organizations. The security firm said most of the exploits are from previously known vulnerabilities that have been updated or patched.

But from the series of exploitation, it seems the organizations are not applying the updates and patches, which has left them exposed to attacks.

Cybersecurity and Infrastructure Security Agency (CISA) recently issued an advisory. The agency provided updates about the supply chain attack on the SolarWinds Onion platform.

According to CISA, it discovered threat actors trying to explore a recent bug. The hacker connected through the Pulse Secure VPN appliance and entered its SolarWinds Orion server, installing the Supernova malware in the process.

Although SolarWinds has provided a patch for the vulnerability, CISA stated that there is none for the Pulse Secure vulnerability.

Known vulnerabilities repeatedly exploited

Recently, several cybersecurity units and agencies have voiced concerns about vulnerabilities in Pulse Secure VPN appliances.

Earlier this month, a joint advisory by the FBI, CISA, and National Security Agency (NSA) reported that Russian state actors have repeatedly explored known vulnerabilities for series of attacks.

The attacks have been discovered exploiting vulnerabilities Pulse Connect Secure VPN and Fortigate VPN. They have also been noticed attacking Citrix’s Application Delivery Gateway and Fortinet’s FortiGate.

In December last year, the NSA also issued an advisory, stating that Russian intelligence actors are exploiting known bugs in VMware Workspace and asked organizations to implement the available patches for the bug.

The advisory stated that the threat actors make use of the bugs to carry out “widespread scanning and exploitation against vulnerable systems.”

The U.S. agencies have been very active in the haunt for hackers, especially state-sponsored actors that are more sophisticated to cause a severe data breach.

Most of the bugs were patched several months ago

The hackers use several techniques, including forging web credentials, exploiting software for credentials access, using valid accounts, compromising supply chains, leveraging external remote service, and exploiting public-facing applications.

The advisory highlighted five vulnerabilities, which include CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-4006, and CVE-2019-9670.

Most of them have been exposed for two years, with their patches available Even with the patches available for over several months, some organizations have refused to use the patch. As a result, threat actors are constantly exploiting the bugs to target these organizations. Previous advisories have warned these organizations to update as quickly as possible to avoid being victims of exploitation activities.

The CVE-2018-13379 vulnerability received a score of 9.8 after it was resolved in May 2019. If threat actors exploit the vulnerability, it will enable the download of system files remotely.

Organizations do not monitor vulnerability disclosures

Secure remote access products common issue that may be leading the vulnerabilities. According to the research engineering manager at Tenable, Scot Caveza, slower patch times may be a result of the importance of the products within an organization.

“For something critical such as a VPN device, downtime for patching could majorly disrupt productivity,” Caveza stated.

He added that the SSL VPN device can be seen as “mission-critical software” that doesn’t have any available backup option.

He also said several organizations probably do not regularly monitor vendor vulnerability disclosures or carry out routine vulnerability scans.

These issues can lead the organization to delay in the discovery of the availability of patches. And one thing about threat actors is the fact that they keep on exploiting the vulnerabilities by targeting those that have not implemented the patch, Caveza reiterated.

Security researchers have also pointed out that the government sector is now having an increased number of vulnerabilities, which was not the ace in the past. They also stated that most organizations leave a lot to be desired when it comes to managing and tracking their security performance. As a result, threat actors are always looking for loopholes to exploit and launch attacks on their systems.