In the first quarter of 2021, attacks on Fortinet and Pulse Secure’s virtual private network (VPN) products increased sharply as threat actors attempt to exploit previously disclosed vulnerabilities that the organization has not patched.
Nuspire’s log data collected from thousands of devices at customer locations showed that attacks on Fortinet SSL-VPN increased by 1,916% from the beginning of the quarter, as threat actors tried to exploit the path traversal vulnerability in the technology (CVE-2018-13379 ) Allow unauthenticated attackers to download files. At the same time, attacks on Pulse Connect Secure VPN jumped by 1,527% in the same period, because attackers tracked arbitrary file disclosure vulnerabilities in the product (CVE-2019-11510), with a maximum probability of severity of 10.
The two vendors issued patches for deficiencies in their products a long time ago, and security analysts have been warning opponents of high interest in these vulnerabilities for some time. For example, as early as January 2020, Tenable warned threat actors to use Pulse Connect Secure vulnerabilities to distribute Sodinokibi ransomware. In April of this year, the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. National Security Agency, the FBI, and the Department of Homeland Security determined that Russia’s Foreign Intelligence Agency (SVR) used the Fortinet and Pulse Secure VPN vulnerabilities as an attack on the U.S. and allied networks. the goal.
Jerry Nguyen, director of threat intelligence and rapid response at Nuspire, said that the surge in activity against VPN devices in the first quarter of 2021 was related to the organization’s failure to patch these vulnerabilities despite previous warnings.
Nguyen said: “The US CIRT has issued many reminders that attackers are looking at these VPNs and people should patch them.” “The most important thing we see on VPNs [is that] When everyone needs to view both at the same time, everyone is looking at the endpoint, not the periphery. “
Other vendors, such as Digital Shadows, have also reported similar interest in VPNs by attackers, especially after the COVID-19 outbreak and subsequent shift to more distributed work environments. Analysts pointed out that one reason for the interest is that infected VPN devices can provide attackers with a wide range of access rights.
According to Digital Shadows, the attackers targeted vulnerabilities in a series of VPN devices (including Fortinet and Pulse Secure devices) in the first quarter of this year.
Sean Nikkei, senior cyber threat intelligence analyst at Digital Shadows, said: “The point is that if a VPN is vulnerable to attacks — regardless of the vendor — threat actors will find a way to take advantage of it and monetize it.” “The adversary knows. , Despite public warnings, people are slow to patch, so as long as it proves effective, they will continue to attack vulnerable endpoints.”
Nikkei stated that Digital Shadows has seen evidence of threat actors exploiting vulnerabilities in VPN products from other vendors.
Decrease in other malicious activities
The irony is that with the overall decrease in malware, botnets, and other types of exploits, VPN attacks have increased dramatically. Nuspire’s analysis of threat data for the first quarter of 2021 shows that malware activity has fallen by more than 54% compared to the fourth quarter of 2020. Except that the vulnerability exploitation activities for VPNs dropped by nearly 22% compared with the previous quarter, while botnet activities dropped by about 11%.
Nikkei stated that the relative sharp decline in malware, exploits, and botnet activity was related to the cancellation of large-scale Emotet operations in January by law enforcement agencies.
“Emotet has been one of the most popular malware in our threat reports, and it created a vacuum when it was shut down,” Nikkei said.
However, this calm is likely to be temporary, with malware, exploits and botnet activity showing an upward trend again in the last quarter.
“I expect another malware family, such as TrickBot, to become popular, or new malware variants will take over,” Nikkei said. “Threat actors will not only stop distributing malware. They will also adapt and switch to new things.”
Josh Smith, a security analyst at Nuspire, said that organizations must pay close attention to remote access security involving VPNs and Microsoft Remote Desktop Protocol-another favorite target. He said both of these technologies allow threat actors to widely access the network to deploy ransomware. Organizations must monitor their technology stack and ensure that they apply security patches as quickly as possible. He said that multi-factor authentication (MFA) is also important.
“End users may find it frustrating to have to enter an MFA code, but if credentials that allow access to remote services are leaked, MFA may be the difference between successfully disrupting or preventing access by threat actors,” Smith said.
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the IT trade news field. He recently served as the senior editor of Computerworld, responsible for the information security and data privacy issues of the publication.In the course of his 20 years… view the complete bio