Hackers mount attacks on Webmin servers, Pulse Secure, and Fortinet VPNs
To nobody's surprise, hacker groups have started exploiting vulnerabilities that have been made public earlier this month, taking advantage of public technical details and demo exploit code to launch attacks against real-world targets.
Attacks have started this week, and they've been seen targeting Webmin, a web-based utility for managing Linux and *NIX systems, but also enterprise VPN products such as Pulse Secure and Fortinet's FortiGate.
All three types of attacks are equally dangerous, as they target devices in enterprise networks, and allow attackers to take full control of the attacked systems.
Without exaggerating, this week's attacks against Webmin, Pulse Secure, and Fortinet FortiGate are some of the worst this year, not because of volume, but because of the sensitive nature of the systems they target.
Webmin attacks
The first of these attacks started on Tuesday, a day after news of a major backdoor was disclosed in Webmin, a web-based tool that system administrators use to manage remote Linux and *NIX systems.
The backdoor made it in the Webmin source code after other threat actors compromised a server belonging to a Webmin developer, where it remained hidden for more than a year before being discovered.
Scans for this vulnerability started after a security researcher held a presentation at the DEF CON security conference, detailing the vulnerability (later proven to be a backdoor) in more depth.
CVE-2019-15107 scans have already started.#threatintel https://t.co/UWv2IyuqaV
— Bad Packets Report (@bad_packets) August 20, 2019
However, once the Webmin team confirmed the severity of this issue, the scans for Webmin servers immediately turned into active exploitation attempts.
Per threat intel firm Bad Packets, there are several actors that are currently exploiting the Webmin vulnerability, with one of them being the owners of an IoT botnet named Cloudbot.
CVE-2019-15107 (Webmin RCE) exploit attempts detected since 2019-08-21T21:33:21Zhttps://t.co/ZE6wNPfIcX#threatintel
— Bad Packets Report (@bad_packets) August 23, 2019
🚨 𝗔𝗟𝗘𝗥𝗧 🚨
— Bad Packets Report (@bad_packets) August 24, 2019
Active DDoS botnet C2 server detected!
IP address: 147.135.124.113 (🇺🇸)
Hosting provider: OVH (AS16276)
C2 ports:
396/tcp
455/tcp
3465/tcp
Vulnerability exploited:
CVE-2019-15107 (Webmin RCE)
http://147.135.124.113/bins/ #opendir#threatintel pic.twitter.com/bDXxiXUbCO
Webmin administrators are advised to update to v1.930, released last Sunday, to protect their systems against CVE-2019-15107 (the RCE vulnerability/backdoor). Public exploit code exists for this bug, making attacks trivial and easy to automate, even by low-skilled threat actors.
The Webmin team claims there are over one million active Webmin installs on the internet. All Webmin versions between 1.882 to 1.921 downloaded from Sourceforge are vulnerable; however, in v1.890, the backdoor was active by default. According to BinaryEdge, there are 29,000 Webmin servers connected to the internet, running this particular version, which accounts for a huge attack surface.
Furthermore, compromising these targets can also allow attackers access to all the Linux, FreeBSD, and OpenBSD servers that are being managed through these Webmin installs, allowing attackers to launch attacks on millions of other endpoints and servers.
Pulse Secure and FortiGate VPN attacks
But if this week started bad, it ended even worse. By Friday, attackers also started exploiting another set of vulnerabilities, also disclosed at a security conference -- but this time at Black Hat.
These vulnerabilities were part of a talk named "Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs," which contained details about a slew security bugs in multiple enterprise VPN products.
However, the attacks didn't target all the VPN products detailed in the talk. They targeted only two, namely Pulse Secure VPN and Fortinet's FortiGate VPN.
It is more likely that attackers used the technical details and proof-of-concept code included in an August 9 blog post by Devcore, the company where the two Black Hat presenters worked, as a starting point for preparing their attacks.
This blog post included details and demo code for various vulnerabilities in the two aforementioned two VPN products. However, attackers chose only two of those vulnerabilities, namely CVE-2019-11510 (affecting Pulse Secure) and CVE-2018-13379 (affecting FortiGate).
Both are "pre-authentication file reads," meaning a type of vulnerability that can allow hackers to retrieve files from a targeted system without needing to authenticate.
According to the same Bad Packets, and other researchers on Twitter, the hackers are scanning the internet for vulnerable devices, and then they are retrieving system password files from Pulse Secure VPNs and VPN session files from Fortinet's FortiGate. With these two files in hand, attackers can either authenticate on the devices or fake an active VPN session.
In a blog post over the weekend, Bad Packets said there are almost 42,000 Pulse Secure VPN systems available online, of which nearly 14,500 have not been patched.
And patches have existed for months, for both products, with Pulse releasing its patch in April, and Fortinet in May.
The number of FortiGate VPNs is also believed to be in the hundreds of thousands, although we don't have an exact stat about the number of unpatched systems that are still vulnerable to attacks.
Either way, owners of such devices are advised to patch as soon as possible. These are expensive enterprise-grade VPN products, and they're not found in places that don't usually need them, meaning they typically protect access to highly-sensitive networks.
As an example, security researchers from Bad Packets said they identified Pulse Secure VPNs on the networks of:
- U.S. military, federal, state, and local governments agencies
- Public universities and schools
- Hospitals and health care providers
- Major financial institutions
- Numerous Fortune 500 companies
The vulnerabilities are as bad as they can get. Pulse Secure tried to highlight this issue to its customers by giving the security bug a rating of 10 out of 10, yet, four months later, many customers have failed to patch.
Furthermore, making matters worse, weaponized proof-of-concept code is now freely available in several places online, for both issues, including GitHub [1, 2].