Hackers are actively trying to steal the passwords of two widely used VPNs

Hackers are actively launching attacks that attempt to steal encryption keys, passwords, and other sensitive data from servers that have failed to enforce critical patches for two private network products widely used, said researchers.

Vulnerabilities can be exploited by sending unscheduled servers web requests containing a special sequence of characters, researchers at the Black Hat Security Conference in Las Vegas said. The pre-authorization file read vulnerabilities resided in the SSL VPN Fortigate, installed on approximately 480,000 servers, and the Pulse Secure SSL VPN, installed on approximately 50,000 machines, reported the Devcore Security Consulting researchers.

Devcore researchers found other critical vulnerabilities in both products. These allow attackers to remotely execute malicious code and change passwords. Fixes for the VPN Fortigate became available in May and April for Pulse Secure. However, installing patches can often result in service interruptions that prevent businesses from performing critical tasks.

Spray the Internet

In the last 36 hours, hackers have begun to paint the Internet with code that tries to exploit this difficulty opportunistically, said independent researcher Kevin Beaumont. He said he found attacks against Fortigate servers from 91.121.209.213, an IP address that has already had bad behavior. An analysis conducted on Friday with the help of the BinaryEdge search engine showed that a new IP address, 52.56.148.178, had also begun to spray exploits for the same vulnerability.

Earlier this month, two exploit code samples for CVE-2018-13379, during vulnerability tracking, became publicly available here and here. The first one retrieves the data stored on vulnerable machines, while the last one simply checks if a machine is vulnerable.

In the meantime, Beaumont added, attacks to exploit unpatched servers from Pulse Secure come from 2.137.127.2. The operating code became public earlier this week. Independent researcher Troy Mursch also discovered attacks from 81.40.150.167 that were also attempting to exploit or test the vulnerability, which is listed as CVE-2019-11510. In the event that one of the bulk scans identifies a vulnerable server, it can then exploit a code flaw that Devcore researchers have also discovered.

"These scans target end-systems vulnerable to arbitrary file reads, resulting in the disclosure of sensitive information about private keys and user passwords," Mursch told Ars. "They are exploiting this vulnerability to read the contents of the file 'etc / passwd' in order to steal the credentials. This identification information can then be used to conduct other command injection attacks (CVE-2019-11539) and access the private network, thus allowing for additional malicious activity. "

Mursch said that the honeypot server that he had used to detect attacks could also identify that the 2.137.127.2 IP address was also targeting Pulse Secure's vulnerability. He added that he did not think that one or the other of the IP is exploited by a researcher who was only looking for servers not updated. His honeymoon was unable to detect the code attacking the Fortigate vulnerability. Beaumont used a honey pot provided by BinaryEdge.

Vulnerabilities are serious because they affect software that must be accessible on the Internet and serves as a gateway to very sensitive parts of a company's network. Obtaining hashed passwords and, in some cases, plain text, encryption keys and other sensitive data, could allow users to enter these networks. With more work, attackers identifying uncorrected servers could also exploit other vulnerabilities discovered by Devcore researchers. A Fortigate flaw, which they dubbed "The Magic Backdoor," allows remote attackers who know a hard-coded key to change passwords.

Representatives from Fortinet and Pulse Secure said companies have been urging customers for months to repair their systems as quickly as possible. Neither company could confirm or develop the digitization reports from Beaumont and Mursch. Organizations using either of these VPNs should take the time to make sure they are not vulnerable.