August 25, 2019 at
The assumption is that Virtual Private Networks, or VPNs, are online resources that help users encrypt their data and communications on the Internet to avoid hackers and content snoopers, gaining privacy in the process.
However, the effectiveness of a VPN brand
depends on many factors, most notably its infrastructure and policies.
According to researchers at the Black Hat security conference held last month
in Las Vegas, cybercriminals are performing attacks to steal passwords,
encryption keys, and other valuable information from unreliable VPN servers of
two famous brands.
These companies, namely Fortigate SSL VPN and
Pulse Secure SSL VPN, have several servers that haven’t applied some crucial
fixes, a situation that has made both of them extremely vulnerable to hackers
stealing the aforementioned information from the servers.
Problems With Unpatched
According to the investigators at the Black
Hat meeting, these vulnerabilities can be exploited if the hacker or entity
sends unpatched servers Web requests with a particular characters sequence.
The file-reading exploits were found at Fortigate, installed on nearly 500,000 servers, and Pulse Secure, found on 50,000 of them, according to information presented by Devcore Security Consulting specialists and researchers.
The folks at Devcore also unveiled other key
exploits associated with both brands. If attackers take advantage of them, they
will be able to execute malicious code and modify passwords from a remote
location. In the case of Fortigate VPN, it developed patches for this situation
in May, whereas Pulse Secure did it in April.
However, several users have reported that once
the patches have been installed, they often experienced service disruptions
that become an obstacle for them to perform essential operations of a VPN
Bad Packets, a security intelligence service,
performed Internet scans in recent hours. The results pointed out that Pulse
Secure had 2,658 endpoints vulnerable to flaws that are being exploited at the
moment. According to the scan, these endpoints belonged to institutions and
organizations such as the US military and other federal, state, and local
governments agencies. Others are public universities and schools, banks,
hospitals, and health care providers. The majority of endpoints are located in
the United States.
Over the past two days, cybercriminals have
spent much of their time spraying the Internet with code that tries to exploit
the situation, according to known independent researcher Kevin Beaumont.
Beaumont said that he found attacks coming to
Fortigate’s way through the 18.104.22.168 IP address, one that has been
associated with misconduct in the past. Another address, the 22.214.171.124, was
discovered to spray exploits on a Friday scan with the BinaryEdge engine.
Beaumont pointed out that the offenses towards
the unpatched Pulse Secure servers are coming from 126.96.36.199, with the
exploit code becoming available this week. Independent researcher Troy Mursch,
the one behind Bad Packets, explained that he identified attacks coming from
If a mass scan manages to spot a vulnerable or
exploitable server, it could exploit a code-execution flaw that the specialists
at Devcore unveiled.
Mursch observed that the scans target endpoints that are vulnerable to arbitrary file reading, a situation that leads to the leaking of critical data, most notably users credentials and private keys. They can, subsequently, be used to perpetrate further command injections to access private networks.
Essentially, Mursch used a server to attract
the attacker and learn more information about it, and the server he used to
detect said attacks also managed to spot the fact that the 188.8.131.52 IP
address was targeting the Pulse Secure exploit, as well.
His belief is that either of the IP addresses
was being operated by researchers with the intention of investigating on the
matter, scanning for unpatched servers. The “honeypot” was provided
The exploits are extremely delicate since they can affect software that is needed to be accessible to the Internet and act as a gateway to enter parts of an entity’s network that are supposed to be private or sensitive.