Both the US NSA and UK NCSC warn hackers are actively exploiting vulnerabilities in VPN products
Both the US National Security Agency (NSA) and a GQHC agency in the United Kingdom have issued warnings about “multiple vulnerabilities in Virtual Private Network (VPN) applications.”
Both the NSA and the UK’s National Cyber Security Centre (NCSC) warned that advanced persistent threat (APT) actors are actively exploiting “known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto.”
VPNs are a popular as way for users to browse the web anonymously, or access websites or content that would normally be blocked in certain countries. Both China and Russia for example routinely blocks access to VPN services.
But the use of VPNs can have issues. In 2018 for example, users of three popular VPNs (Hotspot Shield, PureVPN, and Zenmate VPN) were warned that they suffered from IP leaks of data that could be sensitive.
And now the NSA said it was aware of vulnerabilities affecting multiple VPN applications.
“A remote attacker could exploit these vulnerabilities to take control of an affected system,” the NSA warned, before encouraging administrators to review the following security advisories and apply the necessary updates for Palo Alto Security; FortiGuard Security; and Pulse Secure Security.
The NCSC meanwhile said it was investigating the active exploitation of these three VPN flaws.
“This activity is ongoing, targeting both UK and international organisations,” said the GCHQ agency. “Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable.”
“Vulnerabilities exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials,” it warned. “An attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.”
“Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell,” it added.
At least one security expert advised organisations using a VPN to patch now.
“Organisations need to patch as soon as possible as these two vulnerabilities are already heavily exploited in the field and the exploits are available for download,” said David Grout, CTO of EMEA at FireEye.
“The vulnerabilities were first presented at BlackHat in August this year and we have observed multiple campaigns exploiting them in recent weeks,” Grout added. “Attackers can use the vulnerabilities to obtain access to VPN gateway accounts, which means they can change them or to get access to the victim’s networks.”
“In the meantime organisations should review all of their logs and look for abnormal activities on their devices,” said Grout. “If possible, they should reset authentication on all impacted devices and I’d strongly encourage customers using these VPNs to deploy multi-factor authentication to limit password reuse attacks.”
The use of VPNs is considered by some to be controversial, but others argue that these tools ensure user privacy when web surfing.
However, since 2013 leaks from NSA whistleblower Edward Snowden have suggested that certain intelligence agencies have a tool that can used to crack VPNs.
In 2015 Netflix reportedly began blocking subscribers who access the streaming site via VPNs, proxies and other services that can bypass geographical restrictions placed on the service.
That action was apparently taken after pressure from movie studios and production companies, who reportedly lobbied Netflix to block such technology as it was affecting their licensing agreements.
Can you protect your privacy online? Take our quiz!