Chinese APT Group Began Targeting SSL VPN Flaws in JulyPulse Secure and Fortinet Released Critical Fixes Months Ago, But Patching Lags
A hacking group known as APT5 - believed to be affiliated with the Chinese government - has been targeting serious flaws in Pulse Secure and Fortinet SSL VPNs for more than six weeks, security experts warn.
The attack alert comes in the wake of security researchers warning of a surge in scans looking for the security vulnerabilities. Successfully exploiting the flaws could enable attackers to steal data on user accounts and passwords from SSL VPNs without having to first authenticate, thus giving them full, remote access to enterprise networks.
Cyber threat intelligence analyst Troy Mursch, who tweets as @bad_packets, says attackers in recent weeks have been probing for the existence of vulnerabilities in both types of SSL VPNs. He says the greatest concentration of vulnerable Pulse Secure systems are in the United States (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).
WARNING— Bad Packets Report (@bad_packets) September 5, 2019
Mass scanning activity detected from 18.104.22.168 and 22.214.171.124 attempting to exploit Pulse Secure VPN servers vulnerable to arbitrary file read (CVE-2019-11510) leading to sensitive information disclosure of user credentials.#threatintel pic.twitter.com/7uuarIUwWW
That's despite both vendors having released critical patches several months ago. Pulse Secure released its fixes for Pulse Connect Secure, previously known as Juniper SSL Virtual Private Network, in April, while Fortinet released fixes for FortiOS in April and May. Both companies issued firmware updates and have continued to urge customers to patch. Pulse Secure says it will assist any customers that require help - even if they aren't currently paying for customer support.
The flaws were detailed in greater depth in early August at the Black Hat and Def Con conferences in Las Vegas by researchers Meh Chang (@mehqq_) and Orange Tsai (@orange_8361) of the Taipei City, Taiwan-based consultancy Devcore, who had discovered the flaws and reported them to the vendors. Later last month, proof-of-concept exploits for the vulnerabilities began appearing.
More in-depth exploitation guides for red teams have also been released by security researchers.
Exploits Date From At Least July
The fact that the vulnerabilities were being targeted by APT5 was first reported Thursday by ZDNet, which cited unnamed industry sources saying the attacks had begun last month after proof-of-concept exploits were released.
On Aug. 22, Benjamin Koehl, an analyst at Microsoft's threat intelligence center, warned via Twitter that APT5 - referred to as Manganese by Microsoft, and PittyTiger and Pitty Panda by other security firms - was actively exploiting at least one of the SSL VPN flaws.
On Thursday, his fellow Microsoft threat intelligence center analyst Mark Parsons said via Twitter that at least one of the SSL VPN flaws had been targeted by APT5 "since mid-July, almost a full month before a public POC was available." But researchers have warned that other hackers and hacking groups have also been targeting the vulnerabilities.
APT5 Targets Southeast Asia
Cybersecurity firm FireEye says APT5 has been active since 2007, typically focusing on southeastern Asian targets, including telecommunications firms - and especially satellite communications vendors - as well as high-tech manufacturers and companies that develop technologies with military applications.
"It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure," FireEye says. "The group uses malware with keylogging capabilities to specifically target telecommunication companies' corporate networks, employees and executives."
In some cases, attackers - sometimes using Leouncia malware - have spied on targets, for example, to collect information on "pricing discussions, bidding strategies and competitor pricing information," as well as target companies' business opportunities and bidding plans, FireEye reports.
FireEye has not attributed the activities of APT5 to any nation-state. But many security experts suspect that the group is affiliated with the Chinese government (see Chinese Cyber Threat: NSA Confirms Attacks Have Escalated).
Pulse Secure Describes Fix Strategy
Total vulnerable Pulse Secure VPN servers by country:— Bad Packets Report (@bad_packets) September 1, 2019
United States: 3,481
United Kingdom: 664
South Korea: 258
All others: 2,896https://t.co/HVXWLcJZj1
"Among the most severe issues reported is CVE-2019-11510, an arbitrary file disclosure vulnerability," Scott Caveza, a research engineering manager at Tenable, says in a blog post. "This flaw could allow an unauthenticated, remote attacker to read the contents of files found on a vulnerable device, including sensitive information such as configuration settings."
The security vendor says it has been urging customers to patch these flaws and has advised users to contact Pulse Secure directly if they require assistance. "The patch fix for this vulnerability was made available by Pulse Secure in April 2019. We have worked aggressively with our customers to deploy the patch fix," Scott Gordon, chief marketing officer at Pulse Secure, tells Information Security Media Group.
Gordon says the company cannot give a definitive count of the number of servers that remain at risk. "We cannot verify that the vulnerable server count as depicted by Bad Packets are at-risk exposures, but we can confirm that the majority of our customers have applied the patch," Gordon says. "For example, some of the unpatched appliances that were discovered are test appliances and lab units that are typically isolated and not in production. However, Pulse Secure strongly recommends that customers apply the patch fix to all of their appliances as soon as possible."
"We are also offering assistance to customers to patch for these vulnerabilities even if they are not under an active maintenance contract."
—Scott Gordon, Pulse Secure
Pulse Secure says it continues to urge any customers who have yet to apply the patch to contact the company immediately for help. "Pulse Secure support engineers are available 24x7, including weekends and holidays, to help customers who need assistance to apply the patch fix," Gordon says. "We are also offering assistance to customers to patch for these vulnerabilities even if they are not under an active maintenance contract."
Fortinet Details FortiOS Updates
Fortinet declined to comment on patching delays by its customers. Instead, it pointed ISMG to a blog post the company published on Aug. 28 that describes the three vulnerabilities it's patched and the risks they pose in organizations that fail to install the security updates.
WARNING— Bad Packets Report (@bad_packets) September 2, 2019
Ongoing mass scanning activity detected from 126.96.36.199 attempting to exploit Fortinet VPN servers vulnerable to unauthenticated arbitrary file read (CVE-2018-13379) that allows disclosure of usernames and password in plaintext.#threatintel pic.twitter.com/uwKRIgGbLV
Fortinet says it's also crafting "FortiGuard signatures" that look for known attack-code strings so they can be blocked by Fortinet products that have intrusion prevention system capabilities.
'Magic String' Expunged from FortiOS
Fortinet noted that in May it also patched a "magic string" flaw that researchers had found, involving a vulnerability, designated CVE-2018-13382, that enabled any user with local authentication - but not remote SSL VPN users - to change the password for any SSL VPN web portal user, without any further credentials being required.
"That function had been inadvertently bundled into the general FortiOS release," Fortinet said, adding that the feature "had been previously created at the request of a customer to enable users to implement a password change process when said password was expiring."
Fortinet declined to name the customer.