Governments in the UK and the US have warned users of Windows, macOS and Linux to update their systems following the discovery of multiple advanced persistent threat (APT) groups using a VPN exploit to remotely control computers.
An advisory from the NCSC in the UK said that the flaws were "well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable".
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory that urges users to upgrade systems now. The exploit affects several enterprise VPN products, including those from Palo Alto, Fortinet, and Pulse Secure.
The vulnerabilities allow hackers to access files including ones containing authentication credentials. The credentials would enable an attacker to change VPN configurations or gain access to a victim network.
Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.
The NCSC admitted that as far as this vulnerability is concerned, "patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself".
The organisation also said that if exploitation of the flaw is expected, but cannot find specific evidence of changes made, "you may wish to factory reset (or wipe) your device".
The NCSC also said the organisations should enable two-factor authentication for the VPN to defend against password replay attacks.
Tim Mackey, principal security strategist at Synopsys CyRC (Cybersecurity Research Center), told SC Media UK that whenever new research is published showing a potential exploit, that exploit will eventually form part of a toolkit used by malicious actors.
"In this case the NSA is calling out that a class of attack known as an Advanced Persistent Threat, or APT, has been created to take advantage of the vulnerabilities disclosed. An APT relies on the reality that inevitably someone won’t have patched their system and then can be exploited," he said.
"The easy answer then becomes to patch, but this time it’s more complicated. Given the nature of the vulnerabilities, it’s entirely possible that a successful exploit has occurred with at least one user of an impacted system. Proper patching in this context requires both a reset of any access credentials and potentially a reset of any access tokens used by users for cloud services."
Noam Shany, product manager at CyberArk, told SC Media UK that flaws in how VPNs operate has led to many organisations examining other ways to provide remote access to the most sensitive parts of the corporate network.
"Advances in Zero Trust access, granular access to only the critical system instead of the whole network, biometric multi-factor authentication and just-in-time provisioning, in combination with session isolation and management, allows VPNs to be dispensed with completely in some circumstances, for example privileged access to critical systems," he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout