- Chinese-state actors “APT5” or “Manganese” are targeting corporate VPN servers through known vulnerabilities.
- The flaws concern Fortinet and Pulse Secure SSL VPN products, and were disclosed a couple of weeks ago.
- Fixing patches have been available since May 2019, but a few systems remain outdated and vulnerable.
ZDNet reports that “APT5”, also known as “Manganese”, are actively targeting Fortinet and Pulse Secure VPN servers. The Chinese state-sponsored hacking group is currently trying to take advantage of the recently disclosed flaws that plague the two VPN products before the system administrators get the chance to patch. The persistent attacks began last week, with APT5 scanning the internet for vulnerable VPN servers that are running older and unpatched versions of the Fortinet and Pulse Secure products. These servers are vulnerable to file retrieval by remote users who don’t need to authenticate. From there, the attackers can steal hard-coded keys and perform a full corporate network penetration.
There are many thousands of servers that are based on Fortigate and Pulse Secure SSL VPN solutions, with the former serving 480000 systems and the latter another 42000. This means that the malicious actors have very high chances of finding systems that remain unpatched, even though the two companies have pushed the fixing updates since May 2019. The vulnerabilities were disclosed in the recent Black Hat conference in Las Vegas, but only after the vendors have had the chance to patch their products. The Devcore presentation was bound to intrigue the interest of attackers, and it did.
The two VPN vendors have sincerely tried to warn their clients that they need to update their tools immediately, again and again. They published a security bulletin in May, when the fix landed, then leveraged the publicity of the Black Hat presentation to remind their clients to update once more, and then circulated emails again to make their case of an emergency patch that needs to be applied. Pulse Secure has even pushed in-product alerts, pinned warning messages on their partner portals and their customer support websites.
Still, and as it is always the case in situations like this, the majority has updated, but some systems have not been patched. Hackers are after those vulnerable systems as they are typically servers in large organizations, companies, and generally valuable targets. In the case of APT5, the goal is cyber-espionage, and whatever other valuable data they can get along the way. As we advised last time, even those who have applied the patch can take a few more steps to secure their servers by enabling full log audit and sending it to an out-bound server, enabling multi-factor authentication, and also enabling client certificate authentication.