Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Chinese APT Group Began Targeting SSL VPN Flaws in July

Pulse Secure and Fortinet Released Critical Fixes Months Ago, But Patching Lags
Chinese APT Group Began Targeting SSL VPN Flaws in July
Bad Packets Report on Aug. 31 counted 10,471 unpatched Pulse Secure SSL VPN servers as still being vulnerable to CVE-2019-11510. (Source: Bad Packets Report, Metasploit)

A hacking group known as APT5 - believed to be affiliated with the Chinese government - has been targeting serious flaws in Pulse Secure and Fortinet SSL VPNs for more than six weeks, security experts warn.

See Also: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups

The attack alert comes in the wake of security researchers warning of a surge in scans looking for the security vulnerabilities. Successfully exploiting the flaws could enable attackers to steal data on user accounts and passwords from SSL VPNs without having to first authenticate, thus giving them full, remote access to enterprise networks.

Cyber threat intelligence analyst Troy Mursch, who tweets as @bad_packets, says attackers in recent weeks have been probing for the existence of vulnerabilities in both types of SSL VPNs. He says the greatest concentration of vulnerable Pulse Secure systems are in the United States (see: Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs).

That's despite both vendors having released critical patches several months ago. Pulse Secure released its fixes for Pulse Connect Secure, previously known as Juniper SSL Virtual Private Network, in April, while Fortinet released fixes for FortiOS in April and May. Both companies issued firmware updates and have continued to urge customers to patch. Pulse Secure says it will assist any customers that require help - even if they aren't currently paying for customer support.

The flaws were detailed in greater depth in early August at the Black Hat and Def Con conferences in Las Vegas by researchers Meh Chang (@mehqq_) and Orange Tsai (@orange_8361) of the Taipei City, Taiwan-based consultancy Devcore, who had discovered the flaws and reported them to the vendors. Later last month, proof-of-concept exploits for the vulnerabilities began appearing.

More in-depth exploitation guides for red teams have also been released by security researchers.

Exploits Date From At Least July

The fact that the vulnerabilities were being targeted by APT5 was first reported Thursday by ZDNet, which cited unnamed industry sources saying the attacks had begun last month after proof-of-concept exploits were released.

On Aug. 22, Benjamin Koehl, an analyst at Microsoft's threat intelligence center, warned via Twitter that APT5 - referred to as Manganese by Microsoft, and PittyTiger and Pitty Panda by other security firms - was actively exploiting at least one of the SSL VPN flaws.

On Thursday, his fellow Microsoft threat intelligence center analyst Mark Parsons said via Twitter that at least one of the SSL VPN flaws had been targeted by APT5 "since mid-July, almost a full month before a public POC was available." But researchers have warned that other hackers and hacking groups have also been targeting the vulnerabilities.

APT5 Targets Southeast Asia

Cybersecurity firm FireEye says APT5 has been active since 2007, typically focusing on southeastern Asian targets, including telecommunications firms - and especially satellite communications vendors - as well as high-tech manufacturers and companies that develop technologies with military applications.

Shodan search results for internet-connected Pulse Secure SSL VPN servers - patched or unpatched - as of Sept. 6, 2019.

"It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure," FireEye says. "The group uses malware with keylogging capabilities to specifically target telecommunication companies' corporate networks, employees and executives."

In some cases, attackers - sometimes using Leouncia malware - have spied on targets, for example, to collect information on "pricing discussions, bidding strategies and competitor pricing information," as well as target companies' business opportunities and bidding plans, FireEye reports.

FireEye has not attributed the activities of APT5 to any nation-state. But many security experts suspect that the group is affiliated with the Chinese government (see Chinese Cyber Threat: NSA Confirms Attacks Have Escalated).

Pulse Secure Describes Fix Strategy

Internet-connected device search engine Shodan counts 43,457 internet-connected Pulse Secure SSL VPN servers. As of Aug. 31, Bad Packets said 10,471 Pulse Secure SSL VPN servers remained unpatched.

"Among the most severe issues reported is CVE-2019-11510, an arbitrary file disclosure vulnerability," Scott Caveza, a research engineering manager at Tenable, says in a blog post. "This flaw could allow an unauthenticated, remote attacker to read the contents of files found on a vulnerable device, including sensitive information such as configuration settings."

The security vendor says it has been urging customers to patch these flaws and has advised users to contact Pulse Secure directly if they require assistance. "The patch fix for this vulnerability was made available by Pulse Secure in April 2019. We have worked aggressively with our customers to deploy the patch fix," Scott Gordon, chief marketing officer at Pulse Secure, tells Information Security Media Group.

Gordon says the company cannot give a definitive count of the number of servers that remain at risk. "We cannot verify that the vulnerable server count as depicted by Bad Packets are at-risk exposures, but we can confirm that the majority of our customers have applied the patch," Gordon says. "For example, some of the unpatched appliances that were discovered are test appliances and lab units that are typically isolated and not in production. However, Pulse Secure strongly recommends that customers apply the patch fix to all of their appliances as soon as possible."

"We are also offering assistance to customers to patch for these vulnerabilities even if they are not under an active maintenance contract."
—Scott Gordon, Pulse Secure

Pulse Secure says it continues to urge any customers who have yet to apply the patch to contact the company immediately for help. "Pulse Secure support engineers are available 24x7, including weekends and holidays, to help customers who need assistance to apply the patch fix," Gordon says. "We are also offering assistance to customers to patch for these vulnerabilities even if they are not under an active maintenance contract."

Fortinet Details FortiOS Updates

Fortinet declined to comment on patching delays by its customers. Instead, it pointed ISMG to a blog post the company published on Aug. 28 that describes the three vulnerabilities it's patched and the risks they pose in organizations that fail to install the security updates.

In May, FortiGuard Labs released patches for CVE-2018-13379, CVE-2018-13383, and CVE-2018-13382. Notably, CVE-2018-13379 "could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests," while CVE-2018-13383 "could also potentially allow remote code execution on FortiOS due to a failure to handle JavaScript href content properly," the company's security alert warns. But it notes that some social engineering would be required, since it "would require an authenticated user to visit a specifically-crafted and proxied webpage."

Fortinet says it's also crafting "FortiGuard signatures" that look for known attack-code strings so they can be blocked by Fortinet products that have intrusion prevention system capabilities.

'Magic String' Expunged from FortiOS

Fortinet noted that in May it also patched a "magic string" flaw that researchers had found, involving a vulnerability, designated CVE-2018-13382, that enabled any user with local authentication - but not remote SSL VPN users - to change the password for any SSL VPN web portal user, without any further credentials being required.

"That function had been inadvertently bundled into the general FortiOS release," Fortinet said, adding that the feature "had been previously created at the request of a customer to enable users to implement a password change process when said password was expiring."

Fortinet declined to name the customer.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.