Hey, guys! I’ve been reading a lot about the increase in the usage of remote access tools and VPN services these past few days. That’s not at all surprising considering the whole world is on lockdown and everyone is forced to work from home. However, the number of security concerns related to remote access tools and VPN services is worrisome.
Our Threat Intelligence partner, Recorded Future, has done a thorough research on the vulnerabilities in remote access tools/services/environments that can be and has been exploited by various threat actors. In this blog, I have summarized the findings reported by Recorded Future.
Without further ado, let’s get right into it!
Discovering vulnerabilities in and threats to 8 widely, commonly used remote access tools and VPN services in corporate enterprise and identifying techniques that can be used as part of a threat hunting exercise to detect many of these vulnerabilities.
8 tools/services analysed:
Citrix, PulseSecure VPN, Fortinet, TeamViewer, Cisco AnyConnect, Palo Alto Global Protect, OpenVPN, and Solarwinds Dameware.
Both cybercriminals and nation-states widely target and exploit vulnerabilities in remote access tools and VPNs to deploy ransomware, enable cyber espionage, steal sensitive business information, and more.
- Has the most high-risk vulnerabilities and was most exploited by the widest variety of threat actors among the 8 tools/environments assessed.
- Have been targeted and exploited by Chinese and Iranian state-sponsored threat actors within the last 2 years.
2. Multi-factor authentication (MFA)
- Critical for VPN security.
- Insecure authentication and/or session cookies storage was discovered in some VPN solutions. Some providers come up with patches or fixes while others simply go for one-time passwords or MFA.
3. Variety of exploitation methods
- Some of the methods used by threat actors to exploit remote access tools are trojanized variants of these legitimate applications, 0-day, 1-day, and historic vulnerability exploits, legitimate credential-based access, phishing lures mimicking these services, and more.
4. Chinese, Russian, Iranian state-sponsored threat actor groups
- Targeted and successfully exploited remote work environments over the last 3 years.
5. Russian speaking cybercriminals
- Have deployed ransomware, extort victims, and steal personal identifying information via remote access tools exploitation - skillfully and promptly.
6. The pursuit of legitimate credentials
- Threat actors go after legitimate credentials to decrease the detection rate of intrusion activity rather than only focusing on flaws on remote access tools.
7. Microsoft Remote Desktop Protocol (RDP)
- 127% increase in exposed RDP (port 3389) systems on the internet since the beginning of the Covid-19 outbreak in early 2020.
Getting into the analysis summary of each remote access tool/VPN service
As of late March 2020, there are 28 vulnerabilities in Citrix products with a risk score of 65 or higher in the Recorded Future platform.
Risk scores in the Recorded Future platform:
On a scale of 0 to 99, vulnerabilities above 65 are scored as ‘High’ (65-79), ‘Critical’ (80-89) and ‘Very Critical’ (90-99).
One of the most widely referenced and critical Citrix vulnerabilities in recent months has been CVE-2019-19781. This vulnerability impacted the Citrix Application Delivery Controller (ADV) and Citrix Gateway. If left unpatched, CVE-2019-19781 could allow an unauthenticated attacker the ability to conduct arbitrary code execution on a network. Since these Citrix servers lie on the network perimeter and can be used for connecting to workstations and critical business systems, successful exploitation could allow threat actors to access a company’s published applications and internal network resources. Citrix published mitigation advice on this vulnerability on December 16, 2019, and then issued a series of patches on January 22 and 24, 2020.
Citrix services and devices have been valuable targets for threat actors because Citrix functionality can enable remote access to internal networks not otherwise searchable or accessible from the open internet. While this functionality enables remote work and administration, it is also a valuable potential access point for malicious threat actors as well.
1. ‘Ragnarok’ ransomware
- Deployed in targeted attacks against unpatched Citrix ADC servers vulnerable to CVE-2019-19781
- Successful exploitation of this vulnerability allowed attackers to download and execute scripts that scan for Windows computers vulnerable to the ETERNALBLUE vulnerability. After this, the scripts downloaded and installed the Ragnarok ransomware onto the exploited device.
- Ragnarok operators exclude users in Russia and other former Soviet Union countries from being encrypted.
- Also avoids encrypting victims who have the 0804 language ID for China installed.
- Other features: disable the Windows Defender and automatic startup repair, and turning off the Windows Firewall
2. Chinese Ministry of State Security (MSS) actors
- Targeted vulnerable Citrix technologies heavily in operations since at least 2017
- Threat actor RedBravo and APT41 have been targeting Citrix. RedBravo’s TTPs overlap with Chinese groups APT10 and APT31.
- Chinese operators have primarily sought Citrix user credentials as a method for gaining initial access to a targeted network.
3. ‘DoppelPaymer’ ransomware
- A French telecommunications company, Bretagne Telecom, was targetted on February 26, 2020.
- The operators used a vulnerability in the Citrix system, identified as CVE-2019-19781, to infect unpatched servers.
- The ransomware attack did not lead to any data loss or paid ransom since the company was able to restore all of the encrypted systems from available backups on Pure Storage FlashBlade arrays.
Pulse Secure VPN
As of late March 2020, there are 13 vulnerabilities in Pulse Secure VPN with a risk score of 65 or higher in the Recorded Future platform. One of the most widely reported and critical vulnerabilities over the past year has been CVE-2019-11510.
CVE- 2019-11510 is an arbitrary file read vulnerability in Pulse Secure VPN, that was patched in April 2019 and disclosed in August 2019.
1. Iranian state-sponsored threat groups
- Targetted unpatched Pulse Secure, Fortinet, and Palo Alto Networks VPN servers, since at least 2017. The name of this campaign is the “Fox Kitten Campaign”.
- The result of this campaign was successful intrusions into dozens of companies in the IT, telecommunication, oil and gas, aviation, government, and security sectors around the world.
- Linked to using the Pulse Secure VPN vulnerability to deploy a wiper malware against a VPN server used by Bapco, Bahrain’s national oil company
3. Sodinokibi ransomware
- Infected exchange company, Travelex, causing the company to shut down all of its computer systems, a precaution meant to protect data and prevent the infection from spreading.
- Sodinokibi threat actors encrypted the entire Travelex network and copied more
- than 5 GB of personal data, including dates of birth, Social Security numbers, card information, and other details.
- Sodinokibi and GandCrab employ similar malware packers, TTPs, and targeted evasion of antivirus software within their code.
As of late March 2020, there are 13 vulnerabilities in Fortinet remote enablement tools with a risk score of 65 or higher in the Recorded Future platform. One of the most widely reported and critical vulnerabilities over the past two years has been CVE-2018-13379.
1. Chinese state- sponsored group APT5
- Used both CVE- 2018-13379 (Fortinet) and CVE-2019-11510 (Pulse Secure) in operations only weeks after the vulnerabilities were revealed at the BlackHat conference.
2. Possible Russian cybercriminals
- Posted proof-of- concept (POC) code for CVE-2018-13379 in August 2019 to Verified Forum, one of the most well-known and prominent carding forums for Russian-speaking actors.
As of late March 2020, there are 2 vulnerabilities in Teamviewer remote connectivity tools with a risk score of 65 or higher in the Recorded Future platform. One of the most referenced Teamviewer vulnerabilities over the past two years has been CVE-2018-16550.
This vulnerability could allow remote attackers to bypass the brute-force authentication protection mechanism by skipping the “Cancel” step, which makes it easier to determine the correct value of the default 4-digit pin.
1. Russian APT adversary groups
- Employed trojanized versions of TeamViewer with some of the older activity dating back to at least 2012 and the more recent instances of the use of such malware occurring in April 2019
2. Black Energy malware
- Likely espionage efforts aimed at Ukrainian government and unidentified Polish targets.
- Checks if an infected host had TeamViewer versions 6, 7, or 8 installed. If Teamviewer was installed, the malware had a built-in functionality that would set an additional password for remote unattended access, thus enabling an alternative method of access to the infected host.
3. Chinese state-sponsored group APT41
- Used compromised Teamviewer credentials to access victim networks. Although the researchers were not certain how the credentials were obtained, they observed stolen Teamviewer credentials used for initial access in multiple intrusions across multiple industries over several years.
As of late March 2020, there is 1 vulnerability in Cisco AnyConnect with a risk score of 65 or higher in the Recorded Future platform. One of the most referenced AnyConnect vulnerabilities over the past two years has been CVE-2015-0761.
1. Russian state- supported, targeted intrusion adversary APT28 (Pawn Storm, FANCY BEAR, Sofacy)
- Employed the CHOPSTICK implant to collect information about an infected host.
- This malware does not uniquely target Cisco AnyConnect, but does perform a search for Cisco AnyConnect (vpngui.exe), among other installed applications in its initial processes. The role of this implant is to gather, encrypt, and exfiltrate data from an infected host
2. APT34 (Oil Rig, Helix Kitten)
- Created a trojanized version of Cisco AnyConnect in order to deliver a 2017 version of their Poison Frog malware.
Palo Alto GlobalProtect
As of late March 2020, there is 1 vulnerability in GlobalProtect with a risk score of 65 or higher in the Recorded Future Platform. CVE- 2019-1573 is a vulnerability that could allow an attacker to access authentication and/or session tokens and replay them to spoof the VPN session and gain access as the user.
This vulnerability is only successful if an attacker already has access to a victim machine. If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session. The vulnerability was also mitigated with a software update in August 2019.
1. Unnamed APT groups
- In October 2019, the U.K. NCSC issued an alert on the Pulse and Fortinet VPN vulnerabilities that also included CVE-2019-1579 for Palo Alto GlobalProtect. The alert indicated that NCSC was investigating the exploitation of these vulnerabilities by these unnamed APT groups.
As of late March 2020, there are 3 vulnerabilities in OpenVPN with a risk score of 65 or higher in the Recorded Future platform. Adding all patches and upgrading to the latest versions of OpenVPN software are the best consistent mitigation recommendations.
There are proofs of concept developed for several OpenVPN vulnerabilities (such as CVE-2016-6329, CVE-2016- 2183, and CVE-2020-9442) we assess that few threat actors have successfully exploited these vulnerabilities or leveraged the proof of concept code
1. Russian state- sponsored threat actor group APT28 (Pawn Storm, FANCY BEAR, Sofacy)
- Employed the CHOPSTICK implant to collect information about an infected host.
- APT28 is a Russian cyberespionage team that is assessed with a high degree of confidence to be affiliated with the Russian military intelligence service Main Intelligence Directorate/Main Directorate (GRU/GU).
- Previous iterations of the implant performed a search for two variants of OpenVPN Client (openvpn.exe and openvpn-gui-1.0.3.exe), among other installed applications, in its initial processes.
2. Trickbot banking Trojan
- Updated the password grabber module of the malware that could allow attackers to steal OpenSSH private keys and OpenVPN passwords and configuration files. The password grabber module used by Trickbot is called “pwgrab64.”
- This module retrieves login credentials stored in a victim’s browser cache, and it also obtains login credentials from other applications and web browsers installed on a victim’s host. To communicate with the Trickbot’s command-and-control server, it uses HTTP POST requests to send OpenSSH private keys and OpenVPN passwords and configuration files. At the time of this writing, the update to Trickbot’s password grabber module is not fully functional. It only appears to currently work with SSH passwords and private keys for the SSH client PuTTY, not across OpenSSH/OpenVPN passwords.
As of late March 2020, there are 2 vulnerabilities in Dameware Remote with a risk score of 65 or higher in the Recorded Future platform. One of the most referenced Dameware vulnerabilities over the past two years has been CVE-2016-2345.
CVE-2016-2345 is a stack-based buffer overflow which could allow remote attackers to execute arbitrary code via a crafted string. This vulnerability was discovered in late 2015 and a POC was developed. The vulnerability was disclosed and patched in late 2016.
It is not clear whether either high-risk CVE (including CVE-2019- 3980) have ever been actively exploited by threat actors. Metasploit has created modules for both CVE but both vulnerabilities can be remediated with software updates.
There you go, guys! That’s a condensed summary of Recorded Future’s research paper. If you’d like to read the full research paper, I've attached the file below. If you found this blog useful, then show some love in the comment section below and share the post as well!
Stay safe and stay tuned.
Until next time, friends!
Credit: Recorded Future
[RF Research Paper] VPN and Remote Access Tools Can Expand Enterprise Attack Surface.pdf (1.99 mb)