Some of the world's top VPN servers are currently under attack by a group of Chinese state-sponsored hackers after details regarding vulnerabilities in their products were publicly disclosed at this year's Black Hat security conference.
A group known as APT5 (or Manganese) is carrying out the attacks against both Fortinet and Pulse Secure's enterprise servers.
Acording to a recent report from FireEye, the group has been active online since 2007 and it “appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure”.
- Fake VPN website delivers malware
- Business VPN flaws exploited by hackers
- VPN security flaws could open up your network to attacks
The cybersecurity company says that the group has targeted organizations across a variety of industries though its main focus appears to be on telecommunications and technology companies with a special interest in satellite communications firms.
After details emerged about vulnerabilities in both Fortinet and Pulse Secure VPN servers during a talk by security researchers at Devcore, a subgroup of APT5 began scanning the internet for vulnerable servers from both companies.
The CVE-2018-13379 vulnerability in Fortinet's VPN products and the CVE-2019-11510 vulnerability in Pulse Secure's VPN products are both “pre-auth file reads” that allow an attacker to obtain files from a VPN server without having to authenticate.
APT5 and other cyber threat actors have exploited these two vulnerabilities to steal files containing password information or VPN session data from Fortinet and Pulse Secure's products. However, those who have observed their attacks have yet been unable to determine if the group was successful in breaching either company's devices.
Security researchers at Devcore discovered the Fortinet and Pulse Secure vulnerabilites earlier this year and the company reported the issues to both vendors at the beginning of this year. Pulse Secure released a patch in April and Fortinet released a patch a month later in May.
However, APT5 was able to continue its attacks as many customers from both companies have yet to patch their devices. If your organization has a VPN server from either Fortinet or Pulse Secure, it is highly recommended that you patch your device immediately to prevent falling victim to an attack by APT5 or other cybercriminal groups looking to exploit these vulnerabilities.
- We've also highlighted the best VPN services of 2019