During the most recent months, multiple security flaws have been discovered affecting the virtual private network (VPN) solutions of companies such as Palo Alto Networks, Fortinet and Pulse Secure, which could be exploited by threat actors to gain access to the networks of a target company and steal confidential information or perform spying activities, as mentioned by network perimeter security specialists.
Pulse Secure is the company that has received the most reports lately, with a total of 10 vulnerabilities identified since March last year. The most severe of these flaws (tracked as CVE-2019-11510) could be exploited for arbitrary code execution. This vulnerability received a score of 10/10 on the scale of the Common Vulnerability Scoring System (CVSS).
According to reports from the National Security Agency (NSA), over the past year, more than 14,000 VPN servers were located exposed to the exploitation of this failure worldwide, in addition to the identification of active exploitation campaigns. Although Pulse Secure issued patches to fix this vulnerability in August 2019 network perimeter security experts from the US Cybersecurity and Infrastructure Security Agency (CISA) state that the installation of these patches has not been enough to prevent the exploitation of CVE-2019-11510.
According to CISA, threat actors could have access to compromised networks even after patch installation, as the vulnerability consisted of raw password extraction, and risk mitigation involved resetting VPN users’ passwords: “Despite security patches being released, we have detected security incidents involving the use of Exposed Active Directory credentials during the time after release, we have detected security incidents involving the use of Exposed Active Directory credentials during the time after release, we have detected security incidents involving the use of Active Directory credentials exposed during the time after release mitigations,” says CISA.
Threat actors reportedly used the Tor browser to connect to compromised environments and VPN servers to avoid detection. Hackers then create scheduled tasks, install remote access malware, and employ other tools to generate persistence on the target system, network perimeter security specialists mentioned.
CISA revealed a report on a specific attack, in which the threat actor attempted to sell the stolen credentials after completing numerous attempts to connect to a Pulse Secure deployment and install malware on the compromised system. This hacker (or hacker group) has been linked to other attack attempts.
In this regard, the International Institute of Cyber Security (IICS) recommends that any user, individual or corporate, of Pulse Secure VPN update their deployments as soon as possible, in addition to resetting their login credentials, to avoid exploiting this vulnerability.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.