After this month’s Black Hat security conference, two popular enterprise VPNs got hijacked by cybercriminals, as their vulnerabilities were disclosed publicly by security researchers at Devcore.
The speech by Meh Chang (@mehqq_) and Orange Tsai (@orange_8361) revealed alarming findings about SSL VPNs, urging hackers to dig deeper into the proof-of-concept, included in a blog post on August 8th, 2019!
Critical vulns in #FortiOS reversed & exploited by our colleagues @niph_ and @ramoliks – patch your #FortiOS asap and see the #bh2019 talk of @orange_8361 and @mehqq_ for details (tnx guys for the teaser that got us started) pic.twitter.com/TLLEbXKnJ4
— Code White GmbH (@codewhitesec) July 2, 2019
This blog provided complete information on the details and demo codes for a myriad of vulnerabilities for FortiGate VPN and Pulse Secure VPN, resulting in havoc for both VPN services.
Hackers chose to exploit the CVE-2018-13379 that affects FortiGate (installed on over 480,000 servers) and CVE-2019-11510 that affects Pulse Secure (installed on about 50,000 machines), remotely executing malicious code and password changes.
Patches for protection against these vulnerabilities did become available in May for FortiGate and in April for Pulse Secure. However, installing them can result in service disruptions, preventing enterprises from carrying out essential business tasks.
As such, many customers either avoided installing the patch or failed to update their VPNs when these patches were released. Unfortunately, they are now paying the price, as thousands have gained access to private passwords and accounts.
On Thursday, August 22, 2019, Bad Packet’s honeypots and internet scans also revealed that over 14,528 Pulse Secure VPN endpoints were undergoing exploitation.
⚠️ 𝗪𝗔𝗥𝗡𝗜𝗡𝗚 ⚠️
Mass scanning activity detected from 18.104.22.168 (🇪🇸) checking for @pulsesecure Pulse Connect Secure VPN endpoints vulnerable to arbitrary file reading (CVE-2019-11510).#threatintel pic.twitter.com/fiRUMKjwbE
— Bad Packets Report (@bad_packets) August 22, 2019
This was a massive increase from the initial scan that found 2,658 unpatched servers. The vulnerable servers were found in 121 countries worldwide. Below is a round-up of the most affected countries and number of attacking attempts:
Similarly, reports of mass scanning activities for identifying and exploiting the vulnerable FortiGate SSL VPN started gaining traction. On Sunday, Kevin Beaumont stated that one of his honeypots recorded the “FortiGate SSL VPN backdoor being used in the wild.”
Just seen the Fortigate SSL VPN backdoor being used in the wild on the honeypot. Mass stuff of /remote/logincheck to change password using 4tinet* backdoor, cycling a mass list of usernames (support, admin etc)
To catch it you need to serve page back via /remote/login* first.
— Kevin Beaumont (@GossiTheDog) August 25, 2019
Customers of both companies are being instructed to update their VPNs to get the latest patches, as these enterprise-grade VPNs are essential for protecting access to highly-sensitive networks, which include:
- Numerous Fortune 500 companies
- News/media corporations
- Major financial institutions
- Electric and gas utilities
- Hospitals and healthcare providers
- Public universities and schools
- U.S. military, federal, state, and government agencies
Wrapping Things Up
The researchers at Devcore have taken a crack at something huge. SSL VPNs were becoming the most popular way for remote access in enterprises.
Meh Chang and Orange Tsai were the only individuals who wondered; whether the trusted equipment is insecure. And, the answer has undoubtedly surprised everyone!