APT5 Hunts for Vulnerable VPN Servers

Delaware, USA – September 6, 2019 – Just two weeks after revealing vulnerability details at the Black Hat USA security conference, Chinese cyberespionage group APT5 started to search and attack vulnerable VPN servers from Pulse Secure and Fortinet. According to ZDNet, the adversaries exploit CVE-2019-11510 and CVE-2018-13379, which allow an unauthorized user to receive files from the server, the hacking group exploits these vulnerabilities to obtain VPN session data and credentials. Vendors were informed about vulnerabilities this March and released updates to fix these issues in the following months. Even though critical updates were released several months ago, there are still tens of thousands of vulnerable servers worldwide. In late August, Fortinet, because of the catastrophically large number of unpatched servers, published an article with vulnerability details. Pulse Secure actively urged customers to install updates from the very moment they were released, but despite all their efforts, there are about 10 thousand unpatched Pulse Secure SSL VPN servers in the world.

APT5 is a large Chinese group, uniting several separate units, which carries out attacks mainly in Asia since 2007. The group conducts cyber espionage campaigns targeting telecommunication and technology companies, and compromising vulnerable VPN servers will allow attackers to gain access to the internal network of organizations of their interest. So far, there is no reliable information about successful compromises of organizations using Pulse Secure and Fortinet solutions. You can strengthen your defense with VPN Security Monitor rule pack which helps SIEM to uncover signs of abuse or unauthorized access to the VPN service and enable real-time tracking of VPN connections: https://my.socprime.com/en/integrations/vpn-security-monitor-hpe-arcsight