Hackers are actively attacking enterprise networks by exploiting flaws made public earlier this month. The hackers taking advantage of public technical details and demo exploit code to launch attacks against enterprise targets. The hackers are exploiting flaws discovered in Webmin, a web-based utility for managing Linux and UNIX systems, and VPN products such as Pulse Secure and Fortinet's FortiGate. All three flaws are seen as incredibly serious as if successfully exploited can allow the attacker to take full control of enterprise systems. Researchers are of the opinion that these attacks are some of the worst seen this year due to the networks been targeted that are full of incredibly sensitive data.
The first of these attacks appears to have begun last week on Tuesday with hackers exploiting the flaw discovered in Webmin. The flaw, given the classification CVE-2019-15107, was seen been exploited a day after the flaw was disclosed. The flaw essentially created a backdoor, this was done a year before when other hackers managed to compromise a server belonging to a Webmin developer, where it remained hidden for more than a year before being discovered. As soon as the flaw was disclosed scans for vulnerable Webmin running servers began. Once confirmed by Webmin the flaw, rather than just be scanned for, was now been actively attacked.
According to Bad Packets, a security firm specializing in threat intelligence, several threat actors have been found attempting to exploit the Webmin flaw. One of them believed to be the operators of the Internet of Things botnet Cloudbot. According to Webmin there are over one million active users of the software package across the globe. All versions between and including 1.882 to 1.921 are vulnerable. Version 1.890 appears to have the backdoor active by default. Another concerning development is that by successfully compromising a system running Webmin, can also allow attackers access to all the Linux, FreeBSD, and OpenBSD servers that are being managed through these Webmin installs, allowing attackers to launch attacks on millions of other endpoints and servers. The team behind Webmin released a new version, 1.930, which patches the flaw. Administrators are advised to update the software as there already exists demo exploit code allowing for attacks to be automated.
For those looking to secure enterprise networks news of the Webmin flaw may have come as a nasty shock. More bad news was to come. By Friday of the same week, reports began surfacing that two more flaws were actively been exploited by hackers. The flaws were disclosed at a security conference that same week. The flaws affect popular VPN products used by enterprises. The talk at the conference covered how attacks could be carried out to gain access to enterprise intranet by exploiting flaws in numerous VPN products. Further, on August 9, in a blog article published by Devcore, included the technical details used by those at the conference to compromise VPNs. Both the flaws, CVE-2019-11510 affecting Pulse Secure and CVE-2018-13379 affecting FortiGate, are classified as pre-authentication file reads. This means that if correctly exploited hackers can retrieve files from a targeted system without needing to authentication.
Researchers based at Bad Packets have also been tracking attacks targeting these flaws. In an article published by the threat intelligence firm as many as 14,500 Pulse Secure users are vulnerable to attacks exploiting the flaw. Hackers are currently scanning the internet for vulnerable devices, and then they are retrieving system password files from Pulse Secure VPNs and VPN session files from Fortinet's FortiGate. With these two files in hand, attackers can either authenticate on the devices or fake an active VPN session. As to vulnerable systems running FortiGate exact numbers are not yet known. Patches for both the flaws have been available for months, with Pulse Secure releasing their patch in April and FortiGuard releasing their patch in May.
It goes without saying that administrators should patch the relevant VPNs as soon as possible. One of the important considerations pressing the need to patch is that these VPNs are offered almost exclusively to enterprises. They are expensive when compared to other products intended for home use. This implies that the data held within these networks is incredibly sensitive and important to daily operations. If data is sensitive then it can be incredibly valuable to hackers and criminal organizations who require data to extort, ransom or sell sensitive data. To further illustrate the importance of ensuring the software is patched with the latest version, Bad Packets has detected networks belonging to military departments running Pulse Secure. It is not only military departments detected by Bad Packets, government departments, schools and universities, hospitals and other healthcare organizations, as well as numerous Fortune 500 companies.
As mentioned above proof of concept code already exists. A quick GitHub search revealed that the VPN flaws, Pulse Secure and FortiGate already has code online proving how to exploit the flaws. This drops the entry barrier enough to allow low skill level hackers the ability to successfully exploit the flaws and other more skilled hackers to automate attacks. Pulse Secure deems the flaw serious enough to warrant a 10 out of 10 rating in terms of the severity of the flaw. Yet despite the warnings and a patch being available many users are yet to patch the vulnerability. Given recent fines meted out to British Airways patching software packages should be a priority. The airline was fined a record 183 million GBP for a data breach which occurred in 2018.