It has been reported that both UK and US government agencies have taken the unusual step of issuing a rare update now warning to Windows, macOS and Linux users concerning a critical cybersecurity threat from advanced persistent threat (APT) attackers. The NSA’s warning is regarding an ongoing attack from advanced persistent threat (APT) actors. The NSA warns that attackers could remotely take control of affected Windows, macOS and Linux systems. The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory and is recommending that users upgrade now. Furthermore, the National Cyber Security Centre (NCSC) in the UK has also issued an alert.
The NSA advisory concerns the exploit of multiple vulnerabilities in Virtual Private Network (VPN) applications. As is often the case, these official government warnings come when vulnerabilities that have been known about for some time have, despite fixes being available, ongoing exploits causing concern. Indeed, according to the NCSC alert, the vulnerabilities are well documented in open source, and the exploit activity is continuing with international targets across academic, business, government, healthcare and military sectors.
Commenting on this, Tim Mackey, Principal Security Strategist at SynopsysCyRC (Cybersecurity Research Center), said “Most remote workers are familiar with a key requirement to access corporate systems – the ubiquitous VPN client or VPN software. VPN software is used by most businesses to provide a connection to services secured on internal networks to their employees who require access from public networks. The software works by bridging the network on the client device, be it a desktop, laptop or tablet, to the internal network. Access occurs over an encrypted network connection which in theory ensures that sensitive corporate information isn’t visible to other users on the public network and is only accessed by authorised individuals. VPN software is of course a software application, and it needs to be secured just like any other software – so what happens when it isn’t?
This is precisely the scenario outlined in the advisory from the US NSA and the UK NCSC issued on October 7 following up on an advisory from the Canadian Center for Cyber Security in August based on research disclosed at the annual Black Hat and DEFCON conferences in August. In their talks at Black Hat, the researchers from DEVCORE outlined a serious of exploits in popular VPN software from multiple vendors. In each of the scenarios covered, the researchers followed responsible disclosure practices and worked with the VPN vendors to ensure patches were created. So if patches are available, why is the NSA issuing a bulleting almost two months later?
Whenever new research is published showing a potential exploit, that exploit will eventually form part of a toolkit used by malicious actors. In this case the NSA is calling out that a class of attack known as an Advanced Persistent Threat, or APT, has been created to take advantage of the vulnerabilities disclosed. An APT relies on the reality that inevitably someone won’t have patched their system and then can be exploited. The easy answer then becomes to patch, but this time it’s more complicated. Given the nature of the vulnerabilities, it’s entirely possible that a successful exploit has occurred with at least one user of an impacted system. Proper patching in this context requires both a reset of any access credentials and potentially a reset of any access tokens used by users for cloud services. The credential reset must occur after the patch has been applied as any reset prior to the patch could enable the attackers to collect the updated credentials. It’s also worth noting that the researchers were able to demonstrate a bypass of a 2FA solution meaning that organisations who are delaying rollout of patches believing that their MFA solution mitigates the attack vector may be at greater risk. The last part of the remediation is to perform a forensic analysis to ensure that no infection occurred and that systems are configured as expected.
For the technical folks out there, this situation was created in part due to VPN vendors creating proprietary implementations of secure communication protocols. Unlike implementations from open source solutions, proprietary implementations of security solutions often lack the level of scrutiny afforded to implementations performed by open source communities. Additionally, the VPN solutions involved allow for proprietary extensions to be written in languages like C/C++, Perl or Python. These extensions all require additional care when validating and executing an extension. To best address the types of problems covered in this advisory, VPN vendors should implement a security regimen encompassing protocol fuzzing and threat models. VPN customers expect their VPN to provide a highly secure connection from a public network, and public networks are notoriously unreliable making any instability within the VPN an opportunity for attack.”