APT groups are exploiting outdated VPNs to spy on international targets, U.K. and U.S. warn
International hacking groups are exploiting vulnerabilities in virtual private network technologies to steal user credentials and monitor sensitive traffic, the United Kingdom’s National Cyber Security Centre said, amid recent warnings that the Chinese government has used similar tactics to collect intelligence.
The NCSC, an offshoot of Britain’s intelligence agency, the GCHQ, said on Oct. 2 hackers are leveraging outdated versions of Palo Alto Networks, Fortinet and Pulse Secure products. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency published its own advisory on the vulnerabilities, which attackers could use to take over an affected system, on Oct. 4.
The U.S. National Security Agency issued its own advisory in connection with the vulnerabilities on Monday.
None of the warnings speculate on who may be behind the attack, though the alerts come after Microsoft in August said Manganese, a Chinese hacking collective also known as APT5, was focusing attacks on Pulse Secure and Fortinet products. Pulse Secure, Palo Alto and Fortinet have each released security updates for all of the affected products.
“This activity is ongoing, targeting both U.K. and international organisations,” the NCSC advisory stated. “Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source.”
By exploiting the vulnerabilities attackers could connect to a VPN then change the configuration settings, collect username and passwords credentials and obtain the access necessary to introduce secondary exploits, which then could provide attackers with more valuable privileges.
The three affected VPN services are widely used throughout the Fortune 500. Fortinet’s Fortigate SSL VPN, for instance, is especially popular among medium-sized companies, relying on roughly 480,000 servers around the world.
APT 5 is an advanced persistent threat group with apparent links to the Chinese government that’s been active since at least 2007, according to a FireEye report. It has delivered malicious software against targets throughout Southeast Asia, with a special interest in the energy, telecommunications and transportation sectors. Manganese is Microsoft’s term for the same group.
Update 10/07/19. 3:15pm ET: This story was updated to include mention of the U.S. National Security Agency’s advisory.