Nation-state actors are exploiting known vulnerabilities in several VPN and remote access products, indicating a troubling trend for enterprises.
Multiple advisories and reports have been published over the past few weeks addressing vulnerabilities found in VPNs, the use of which skyrocketed in the rush to remote work during the COVID-19 pandemic. Vendors like FireEye have observed those vulnerabilities being used in the wild, with targets including government and financial organizations. A majority of the malicious activity stems from known vulnerabilities, which have patches and updates available. However, it appears many organizations are not completing updates as some of the same vulnerabilities continually threaten security postures.
The most recent Cybersecurity and Infrastructure Security Agency (CISA) advisory provided new information on last year’s massive supply chain attack on the SolarWinds Orion platform. In the advisory Thursday, CISA said it recently responded to an advanced persistent threat (APT) actor’s “long-term compromise of an entity’s enterprise network, which began in at least March 2020.”
According to the advisory, the actor connected to the entity’s network via a Pulse Secure VPN appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as Supernova and then collected credentials. While there is a CVE available for the SolarWinds Orion flaw, a CISA spokesperson told SearchSecurity there is not one for the Pulse Secure vulnerability mentioned in the advisory.
Vulnerabilities in Pulse Secure VPN appliances have been the focus of several such alerts lately.
For example, a joint advisory earlier this month by the National Security Agency (NSA), CISA and FBI said the Russian Foreign Intelligence Service actors have frequently used publicly known vulnerabilities in initial attack stages. The ongoing attacks exploit flaws in Fortinet’s FortiGate VPN and Pulse Secure’s Pulse Connect Secure VPN, as well as VMware’s Workspace One Access and Citrix’s Application Delivery Controller and Gateway.
According to that advisory, actors use the vulnerabilities to “conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.” Techniques used include exploiting public-facing applications, leveraging external remote services, compromising supply chains, using valid accounts, exploiting software for credentials access and forging web credentials. The targets include national security and government-related systems.
There are five vulnerabilities highlighted in the advisory: CVE-2018-13379, CVE-2019-9670, CVE-2019-11510, CVE-2019-19781 and CVE-2020-4006. Most of the vulnerabilities are over two years old with patches available, and previous advisories have urged enterprises to update to avoid exploitation activity.
Just earlier this month, a joint cybersecurity advisory by the FBI and CISA said APTs may be exploiting multiple Fortinet FortiOS vulnerabilities, including the one found in the advisory from April 15. The critical vulnerability — CVE-2018-13379 — was resolved in May 2019 and received a CVSS score of 9.8; if exploited, the flaw allows an authenticated attacker to download system files. The advisory urged organizations to patch and update immediately.
The NSA previously released an advisory on the VMware vulnerability in December of last year, warning of Russian state-sponsored actors using the critical flaw to forge security assertion markup language (SAML) credentials to “send seemingly authentic requests to gain access to protected data.” The advisory strongly recommended that the National Security System, Department of Defense and the Defense Industrial Base system administrators apply the vendor-issued patch as soon as possible.
However, it appears that many organizations, government included, have not completed updates, as threat actors continually take advantage of old vulnerabilities.
These secure remote access products have one commonality that may be causing security to fall through the cracks. Scott Caveza, research engineering manager at Tenable, told SearchSecurity that the significance of these products within an organization may be contributing to slower patch times. “For something critical such as a VPN device, downtime for patching could majorly disrupt productivity,” he said in an email to SearchSecurity.
Caveza referred to SSL VPN devices as “mission-critical software” for which there may be no backup option available. “Patch windows have to be carefully planned and coordinated and a backup plan needs to be in place in case of lost configuration or incompatible patch.”
Additionally, Caveza said there are likely many organizations that don’t perform routine vulnerability scans or regularly monitor vendor vulnerability disclosures. Those reasons could cause a significant delay from the time a vulnerability is disclosed to the time that an organization becomes aware of the vulnerability and an accompanying patch.
“While it’s impossible to know for sure why these flaws seemingly fall through the cracks, it’s very clear that attackers regularly find success targeting well known, unpatched vulnerabilities,” he said.
Jake Olcott, vice president of communications and government affairs at risk management vendor BitSight, said there is often a long tail of organizations that do not patch critical vulnerabilities in a timely fashion, regardless of whether the flaws are in Pulse Secure VPNs or the latest Microsoft Exchange Server software.
“While some sectors may have higher rates of vulnerability — the government sector, for example, had the highest rates of vulnerable Microsoft Servers when we first started tracking the issue — we observe organizations of all sizes in every sector that struggle to effectively manage their security performance,” Olcott said in an email to SearchSecurity.
The reason why these critical vulnerabilities are not being addressed, even after months or years, is difficult to know. Olcott said reasons can include lack of visibility, lack of awareness of the severity of the vulnerability, patchwork security programs, overwhelmed security teams, lack of targeted information sharing and absence of adequate oversight.
Another factor is the high number of assigned CVEs just in the last year — over 18,000. It’s becoming too much for security teams to handle, Caveza said, especially as more and more employees move to remote work, expanding security risks.
Caveza said it’s the perfect storm of more and more connected devices, increased interest and activity by threat actors and a shortage of resources and budgets made available for defenders.
“Every week a slew of new vulnerabilities are patched while dozens of new exploits are released and used by attackers. While it’s easy to reflect back and say organizations should be patching faster and more regular, the reality is that many IT staff are overwhelmed with the number of devices and patches that need to be applied across an organization,” he said.
While there is no straight answer as to why or how to patch in a timelier manner to avoid exploitation, Olcott said it’s an important policy question for the Biden administration.
“Will the FBI continue to be entrusted to remove malware from systems like they were allowed to do in the Microsoft Exchange incident? Will targeted information sharing help organizations address these challenges more quickly?” he said. “We need a national commitment and strategy to address this problem rather than approach it in a whack-a-mole, piecemeal fashion.”