Kroll reviewed a wide variety of incident response cases in recent weeks that involved some sort of remote access compromise. With record numbers of employees now working from home, accidental and malicious data exposure incidents are on the rise, many of which are due to vulnerabilities associated with virtual private network (VPN) or remote desktop protocol (RDP) connections.
While VPNs are traditionally more secure than RDP solutions, several VPN providers released significant software patches in the past year, a fact that cybercriminals were quick to seize on. Organizations that haven’t updated their VPN software are now prime targets for ransomware operators and other malicious actors. In a recent Cybersecurity Advisory, the National Security Agency (NSA) urged organizations to check VPN products for upgrades. The advisory warned, “Upgrade your VPN products to the latest vendor-released versions to protect your networks from these attacks. The known vulnerabilities include Pulse Secure™, Palo Alto GlobalProtect™ and Fortinet FortiGate™ VPN products.”
Pulse Secure VPNs are particularly vulnerable due to the critical CVE-2019-11510 alert issued by the company last year for a flaw that allows for remote authentication to a VPN appliance. Pulse Secure’s advisory stated vulnerabilities could “allow an unauthenticated user to perform a remote arbitrary file access on the Personal Communication Service (PCS) gateway … and allow an authenticated administrator to perform remote code execution...”, both of which the advisory further added, “pose significant risk to your deployment.” This advisory was updated in 2020 to reflect new exploitation information and recommendations. Given the fact that there is no workaround, the Cybersecurity and Infrastructure Security Agency (CISA) recommends applying patches provided by the vendor and performing all necessary system updates.
How Do Threat Actors Exploit Vulnerable VPNs?
Actors are mainly identifying potential corporate targets by scanning the internet and then gaining access to user accounts via known exploits. Skip to the “Exploit in Action” section of this newsletter to see a video demonstration. In the past, threat actors most often compromised VPNs through “session hijacking,” after getting their hands on a valid session ID through means such as brute-force attacks or reverse engineering.
Thomas Brittain, Associate Managing Director at Kroll, said that has dramatically changed. He commented, “We’ve been seeing engagements where actors are getting access without session hijacking and that’s due to CVE-2019-115110’s pre-authentication vulnerability that allows unimpeded access. Essentially, actors can query the vulnerable VPN to pull a unique ID for an account, then leverage web browser development tools to manually set a value to the ID, and that allows them unauthenticated access to the VPN administrator console.” From there, it’s generally short work for actors with system access to remotely connect to internal systems. Once on your internal network, they download and execute programs and commands to conduct reconnaissance and harvest passwords enabling them to move laterally in the network and, in many cases, prepare to deploy ransomware.
Watch Thomas Brittain go into further detail about how to recognize signs of Pulse VPN exploits.