Both U.S. and U.K. government agencies have taken the unusual step of issuing a rare update now warning to Windows, macOS and Linux users concerning a critical cybersecurity threat from advanced persistent threat (APT) attackers. Here’s everything you need to know.
The nature of the cybersecurity threat
It isn’t the first time that the National Security Agency (NSA) has released a critical security vulnerability warning but these government agency update now advisories are few and far between. Once again, though, the NSA is making such a warning; this time regarding an ongoing attack from advanced persistent threat (APT) actors. The NSA warns that attackers could remotely take control of affected Windows, macOS and Linux systems. The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory and is recommending that users upgrade now. Furthermore, the National Cyber Security Centre (NCSC) in the U.K. isn’t being left out of the attack threat alert party either. So what is the threat behind this string of critical warnings?
Learn more from our latest magazine, Preventing a Cyberattack: A Guide to Cyber Readiness. Download it now.
The NSA advisory concerns the exploit of multiple vulnerabilities in Virtual Private Network (VPN) applications. As is often the case, these official government warnings come when vulnerabilities that have been known about for some time have, despite fixes being available, ongoing exploits causing concern. Indeed, according to the NCSC alert, the vulnerabilities are well documented in open source, and the exploit activity is continuing with international targets across academic, business, government, healthcare and military sectors.
A brief history of affected VPN warnings
The vulnerabilities are to be found within several enterprise VPN products and can enable a remote attacker to retrieve files including those with authentication credentials. Armed with these credentials the slow and stealthy APT attackers can then change the configuration of the VPN or dig deeper into internal network infrastructures. Intelligence gathering, data exfiltration and system control are all on the exploit table here.
Things kicked off back on July 26, when CISA warned of multiple VPN applications being vulnerable to cyber-attack. On August 21, exploit code for one of the VPNs became available publicly, and the next day a well-known security professional, Kevin Beaumont, revealed the first sightings of exploit activity in the wild. On August 28, the Canadian Centre for Cyber Security released an indicators of compromise list regarding three of the most popular enterprise VPN products: Pulse Secure, Palo Alto GlobalProtect and Fortinet FortiGate.
In the meantime, FortiGuard Labs, Palo Alto Networks and Pulse Secure all issued advisories with strong recommendations to update to the fixed versions as soon as possible. It would seem that this advice has not been followed by enough organizations and the exploits are ongoing. On October 2, the NCSC in the U.K. issued an essential mitigation alert, and this was followed, on October 7, by a similar cybersecurity advisory from the NSA which adds actions required to harden defenses in the longer term.
Government mitigation advice
The NCSC mitigation advice is, unsurprisingly, to apply the latest updates released by the vendors concerned. The NCSC acknowledged that “patching is not always straightforward and in some cases can cause business disruption,” but, quite correctly, said this remains the “single most important step” that can be taken to protect against the ongoing attack threat.
Both the NCSC and NSA advise that authentication credentials associated with the VPNs and any accounts connecting through them should be reset. “If a malicious actor previously exploited the vulnerability to collect legitimate credentials,” the NSA said, “these credentials would still be valid after patching.” The NSA further recommends the credential reset is performed after the VPN has been updated but before it is reconnected to the external network.
The NCSC also recommends that, if you suspect an attacker has successfully exploited one of the vulnerable VPNs, but you are unable to find specific evidence of the same, then the wiping of the device (a factory reset) should be considered.
Both agencies recommend the use of multi-factor authentication as an attack surface hardening measure, and the disabling of unused functionality and services to reduce that attack surface.
The NSA advisory concludes with a recommendation to discourage the use of proprietary SSL VPN protocols, transitioning to IETF standard-conformant TLS or IKE/IPsec VPNs instead. If your organization cannot do this and continues to use SSL VPNs, the NSA said that public-facing VPN web applications should only use TLS 1.2 or later for network traffic encryption, certificate-based authentication and integrity. Self-signed and wild card certificates are to be discouraged, and the rotating and updating of legitimate certificates is advised.