The National Cyber Security Centre (NCSC) in the UK has issued further advice to users of certain VPNs who were attacked by a Chinese state-sponsored hacking group (APT5).
As we reported last month, the VPNs in question were Fortinet and Pulse Secure, as well as Palo Alto VPN, and as we previously observed, patches were released for the security flaws earlier this year – although not all companies applied them, so remain vulnerable to exploitation by APT5 (or indeed other cyber-attackers).
- Beware of fake VPN websites loaded with malware
- Mozilla is launching a VPN
- Other VPN security flaws could leave you wide open to attacks
Naturally, if you use these VPNs, hopefully you’ve already applied the relevant patch – but if not, obviously that should be an absolute top priority.
Following patching, however, the NCSC has outlined some further measures on detecting if you’ve been exploited, and additional mitigations.
The first point customers of these VPNs should action is to comb through their logs there any evidence of compromise – particularly if the aforementioned patches were only recently applied.
The organization further notes: “Administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.”
Further details on how to go forward with this are provided by the NCSC here (opens in new tab).
System admins who suspect that any exploitation or hacking may have taken place should reset admin and user credentials which were at risk of theft, for obvious reasons.
The organization also details further mitigation measures for those who have detected exploitation of their VPN (or those who have been previously targeted by APT or indeed other cyber-attackers).
That includes instigating two-factor authentication for the VPN, if that’s available with the service, and to disable any functions (or ports) which aren’t used by the VPN. This is what’s known as reducing your threat surface, of course – if you don’t need stuff, it can be turned off, and therefore any possible exploitation of that particular functionality is therefore made impossible.
Furthermore, the NCSC observes that if you suspect exploitation has taken place on a device, but can’t pinpoint any evidence, it may just be safest to factory reset the device.
System admin should also continue to review logs for the VPN, and indeed all network traffic through the VPN, checking for red flags like connections from uncommon IP addresses.
And of course you should check VPN settings, as the organization advises: “Check all configuration options for unauthorized changes. This includes the SSH authorized_keys file, new iptables rules and commands set to run on connecting clients. If you have known-good backups of the configuration you can restore then restoring these may be prudent.”
The NCSC also reminds us that any current activity related to these threats to VPNs can be reported via the organization’s website (opens in new tab).
- We've also highlighted the best VPN services of 2019