What makes these types of Internet-facing VPN device vulnerabilities so insidious is that once an attacker has compromised a VPN device, there is hardly anything they can’t then do to the enterprise. Attackers can sit on the VPN device and pull credentials and MFA tokens off the wire. They can steal the credentials of authorized users on the device and return later using those credentials, masquerading as legitimate users.
They can re-configure the device and disable certain control features, logging, or other configurations that allow them to persist longer undetected. They pivot from the VPN device to other devices on the same network. Perhaps an open database/SQL server exposes a service port sitting in the same DMZ that can be exploited. They can deny service to the device and disrupt the organization at times of their choosing advantageous to the attacker. They can attack the AD and deploy tools like cobalt strike to further pivot and move laterally across the enterprise to deploy other payloads like ransomware. They can create and sell backdoor accounts and/or access to exploited devices, or as in this recent case, leak an entire set of 500,000 credential pairs that were harvested by exploiting CVE-2018-13379 in over 80,000 unique Fortinet VPN devices across 74 countries. Thirteen percent of these credentials were from devices located in the United States. While this list was leaked by the operator of a newly created RAMP forum on the DDW, it should be noted that this same CVE appears in both the CISA list in John’s blog, as well as the advisory put out by the FBI, NSA, and CISA concerning Russian SVR actor activity.
While the list of exploitable CVE’s in CISA’s 2020 and 2021 advisories is an important and urgent place to start, it is not definitive nor comprehensive by any means. Organizations focused on threat-informed risk management will also want to source from additional sources, including intelligence derived from DDW via Threat Intelligence providers. Related to the above Fortinet case-in-point, here is a list of CVE’s that have particular relevance in DDW criminal forums…ones that are used for both initial access via exploitation and secondary access via credentials that are re-sold on the DDW for follow-on campaigns. The ones with asterisks indeed overlap with the CISA advisories above, but notice the 5 additional CVE’s that deserve your full attention:
And as if that wasn’t enough to make the point, recently, someone attempted to twitter-source which CVE’s were being used by Ransomware groups. After a short time, they had sourced a list of 43 CVE’s, and unsurprisingly, 6 out of 10 were network device firmware vulnerabilities! The twitter thread continues to be added to (including by myself), so the number is higher than that. The thread caught the eye of a Bleeping Computer author that composed this excellent piece on the topic.
In the end analysis, my hot-take here is simple: Patch, patch, patch, and do so with great vigor and to get faster at patching than you were yesterday. Measure your cadence, improve your cadence, and consider it a mission-critical metric to measure going forward. Indeed this is one of the primary value use-cases for Eclypsium’s customers and is one of the main reasons we exist as an enterprise/mission grade solution designed to address precisely this kind of modern-day device level risk. If you want my ‘other’ hot take on these kinds of vulnerabilities, you’ll need to watch this short no-holds-barred video! (hyperlink to SM post of my video hot take). When you are done watching, be sure to check out this guide from NSA and CISA on how to select and harden a VPN Solution!