Chinese APT group targets Fortinet and Pulse servers


VPN servers in the firing line from state-sponsored hackers

Chinese state-sponsored hackers have targeted VPN servers from Fortinet and Pulse Secure using publicly available security flaws.

According to a report by FireEye, the attacks have been carried out by a Chinese hacking group known as APT5. The flaws in the VPN servers were publicly disclosed at this year's Black Hat security conference.

Researchers at FireEye said that the group has been active since 2007 and "appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure".

The group is particularly focused on telecommunications and technology companies.

"More than half of the organisations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organisations and personnel based in Southeast Asia," the report said.

When details about the flaws in both Fortinet and Pulse Secure VPN servers came to the fore, a subgroup of APT5 began scanning for vulnerable servers.

The flaws (CVE-2018-13379 in Fortinet's VPN products and CVE-2019-11510 in Pulse Secure's VPN products), are "pre-auth file reads" that enables an attacker to obtain files from a VPN server without having to authenticate. Since the flaws were disclosed, both Fortinet and Pulse Secure released patches.

The hackers used the flaws to steal data storing password information or VPN session data from the affected products. However, according to a report by ZDNet, sources observing the attacks said they weren't in a position to determine if the group was successful in breaching the devices.

Prash Somaiya, technical programme manager, HackerOne, told SC  Media UK that hackers, both white hat and black hat, collect huge amounts of data on their targets. 

"They have a passive understanding of the types of services and systems that their targets are running. When a vulnerability is made public (as with Pulse and Fortinet), researchers are able to search through their data and find targets with the vulnerable software running. This enables them to exploit these systems incredibly quickly," he said.

He added that a number of Pulse and Fortinet customers still haven’t installed patches that were released in April and May, respectively.

"In Fortinet’s case, they both failed to notify their customers of the flaw and make the subsequent patch accessible," said Somaiya.

"Pulse on the other hand, took the right action: they sent a security advisory to their customers and requested a CVE. Therefore, it seems the unpatched flaws in their servers lays with the negligence of their customers. Everyone, on both sides of the coin, has a responsibility for security: companies need to alert and advice their customers and, in turn, the customers need to heed this advice."

Sam Curry, chief security officer at Cybereason, told SC Media UK that we should be very careful not to denigrate possibly innocent security companies. 

"This is reminiscent of other hacks against RSA and Diginotar, where the fabric of trust is attached. However, life goes on; and we just learn and adapt collectively. The message to us all should be that security requires depth in planning and architecture: segmentation, assumption of compromise, good comms practices even when security is believed to be in place and so on," he said.

"Further, we should be assuming compromise of controls and prevention failures and therefore hone our cyber-capabilities: detection, hunting, behavioural monitoring and so on. Now all eyes are on the vendors to see how they handle their customers, their services and their responsibilities."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews