Micro Focus is now part of OpenText. Learn more >

You are here

You are here

This just got real: US, UK agencies issue joint VPN security alert

Richi Jennings Your humble blogwatcher, dba RJA

Spy agencies in the US and UK are jointly warning of big trouble for many users of enterprise VPNs. Hacker groups—some state-sponsored—are wreaking havoc at sites that haven’t patched their installations.

The agencies—the NSA and the NCSC—have long remediation checklists for your admin pleasure. So drop everything—even if you’ve already patched your VPN.

As if you didn’t have anything better to do. In this week’s Security Blogwatch, we’re licensed to CVE.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: drinkybird.

Pay attention, 007

What’s the craic? Liam Tung has this warning for VPN users—Patch now, warns spy agency:

If your employees are using … VPNs from Fortinet, Palo Alto, or Pulse Secure, you really need to patch the products and search … for signs of compromise. … A group of Chinese state-backed hackers known as APT5 have been attacking enterprise VPN servers.

The VPN flaws would allow attackers to gain authentication credentials that can be used to connect to the VPN and change configuration settings or provide privileges to use additional exploits to gain a root shell. … The UK's National Cyber Security Centre (NCSC), a unit of UK spy agency GCHQ … is recommending organizations … check all VPN settings and carry out checks on logs for services such as email that users connect to the network through a VPN. It also recommends wiping devices if they may have been compromised.

Not just the NCSC, but also the NSA. Davey Winder is like a coiled spring—Governments Issue Update Now Warning:

Both US and UK government agencies have taken the unusual step of issuing a rare update-now warning … concerning a critical cybersecurity threat from advanced persistent threat (APT) attackers. … As is often the case, these official government warnings come when vulnerabilities that have been known about for some time have, despite fixes being available, [with] ongoing exploits causing concern.

The vulnerabilities are well documented … and the exploit activity is continuing with international targets across academic, business, government, healthcare and military sectors. … FortiGuard Labs, Palo Alto Networks and Pulse Secure [have] all issued advisories with strong recommendations to update, [but] it would seem that this advice has not been followed by enough organizations.

Both agencies recommend the use of multi-factor authentication as an attack surface hardening measure, and the disabling of unused functionality and services to reduce that attack surface.

NSA? No such agency. Oh, wait—Mitigating recent VPN vulnerabilities:

Multiple Nation State Advanced Persistent Threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices. … CVE-2019-11508 … CVE-2019-11538 … CVE-2019-1579.

If a malicious actor previously exploited the vulnerability to collect legitimate credentials, these credentials would still be valid after patching. NSA recommends resetting credentials after a vulnerable VPN device is upgraded and before it is reconnected to the external network. … Revoke and generate new VPN server keys and certificates. This may require redistributing VPN connection information to users.

Discourage use of proprietary SSLVPN/TLSVPN protocols. Transition … to either IETF standard-conformant TLS for single application use cases, or to IKE/IPsec VPNs.

Discourage the use of self-signed and wild card certificates. … Periodically rotate and update legitimate certificates. … Require mutual certificate-based authentication [and] multi-factor authentication. … Do not allow VPN administrators to login to the management interface via the public-facing VPN.

If compromise is suspected, review accounts to ensure no new accounts were created by adversaries.

NCSC? Now, chaps. Security, crikey: [You’re fired—Ed.]

Vulnerabilities exist in several SSL VPN products which allow an attacker to retrieve arbitrary files. … Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits.

The most effective way to mitigate the risk of actors exploiting these vulnerabilities is to ensure that the affected products are patched with the latest security updates. Pulse Secure, Fortinet and Palo Alto have all released patches for these vulnerabilities.

Security patches should always be applied promptly. … Patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself.

Check all configuration options for unauthorised changes. … If you have known-good backups of the configuration … then restoring these may be prudent. … If you suspect exploitation has occurred but cannot find specific evidence of changes made, you may wish to factory reset (or wipe) your device.

Yikes. All this talk of “business disruption” and “redistributing VPN connection information to users” sounds like a recipe for IT hell. So raytracer78 deflects the blame:

I have tried to engage HR regarding IT onboarding time with recent hires. Some of these people have never used a laptop before, had no concept of using a VPN, when watching them use the computer they seemed like they didn't know how to use the mouse or type.

Although Luke Faraone wishes VPNs begone:

VPNs are a hassle for users and admins. It'd be easier for everyone … if all internal apps were just public on the internet.

VPNs are a band-aid / work-around for "we don't have strong authentication and authorization on all services." That's fine, not everyone can do [that], and they can provide some safety vs. the anonymous attacker. … But too often they lure IT environments into a false sense of security.

Band-aids aren't per-se a bad thing. However, a VPN isn't the ideal end state. Even if you can't modify the underlying application, the goal should be "wrap in a reverse-proxy that handles authn / some-amount-of-authz so you can minimise the risk."

VPNs … don't protect you against an attacker able to compromise an endpoint in your corporate environment.

But if you do need a VPN, and you want to avoid one of the products mentioned, thawkth hath a thuggethtion:

OpenVPN access sever. Very easy to set up and deploy, extremely reasonable license cost, can set it up using a repository in Linux or deploy VMware/hyperv image

We’ve run it in production for almost five years now with no major complaints. Biggest issue right now is a lack of good multi factor support.

I will say though that something like an RD gateway might make more sense if you literally only need to give RDP access. A vpn can be extreme overkill and a bigger security issue.

But why should the NSA have all the fun? Catalin Cimpanu brings the Bureau—FBI warns about SIM swapping and tools like Muraen and NecroBrowser:

The US Federal Bureau of Investigation [sent] a security advisory to private industry partners about the rising threat of attacks against organizations and their employees that can bypass multi-factor authentication (MFA) solutions. … The FBI alert specifically warned about SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser.

The FBI wants users of MFA solutions to be aware that cyber-criminals now have ways around [it]. Despite the rise in the number of incidents and attack tools capable of bypassing MFA, these attacks are still incredibly rare and have not been automated at scale.

Users should choose a stronger MFA solution that is not vulnerable to social engineering tricks like SIM swapping, or transparent proxies that can intercept the MFA token.

All together now. David A. Gatwood chants an SMS factor is not 2FA:

If your second factor is a telephone, you don't actually have 2FA. After all, the second factor cannot be the same device that you're using to sign in, because that's the same physical device as the one with access to the first factor (the password).

Meanwhile, Thomas H. Ptáček wishes a plague on all their houses:

Commercial enterprise VPN products are an open sewer, and there aren't any, from any vendor, that I trust. I don't like OpenVPN or strongSwan, but you'd be better off with either of them than you would be with a commercial VPN appliance.

The moral of the story?

Search for signs of compromise. Then nuke your VPN from orbit (it’s the only way to be sure).

And finally

Drinking lucky bird

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Michael Schwarzenberger (Pixabay)

Keep learning

Read more articles about: SecurityInformation Security