Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.
Vulnerabilities in SSL VPN products are some of the most exploited by attackers for initial access to target networks, acting as a doorway for exploitation. Earlier this year, Tenable Research named three VPN vulnerabilities as part of its Top Five Vulnerabilities of 2020. Although all three vulnerabilities (CVE-2019-19781, CVE-2019-11510, CVE-2018-13379) were disclosed in 2019 and patched by January 2020, they continue to be routinely exploited more than halfway through 2021.
Based on Tenable Research’s analysis of vendor advisories, government warnings, and industry data, the team re-examined how attackers have historically exploited these vulnerabilities, along with new reports of attacks, in 2021.
Several threat groups have been known to leverage CVE-2019-19781 — a path or directory traversal flaw in Citrix ADC, Gateway and SD-WAN WANOP products to target the healthcare industry. More recently, attackers have indicated their preference for this vulnerability in online forums between January 2020 and March 2021, as it was the top mentioned CVE on Russian and English-speaking dark web forums.
In April 2019, Pulse Secure released an out-of-band security advisory to address multiple vulnerabilities in its Pulse Connect Secure SSL VPN solution. The most notable one, CVE-2019-11510, an arbitrary file disclosure vulnerability was assigned the maximum CVSSv3 score of 10.0. Fast forward to Q1 2021 — a report from Nuspire showed a 1,527% increase in attempts to exploit CVE-2019-11510 against vulnerable Pulse Connect Secure SSL VPNs. There are also at least 16 malware families that have been developed to exploit vulnerabilities in Pulse Connect Secure.
In May 2019, Fortinet patched a directory traversal vulnerability in their FortiOS SSL VPN, which allows an unauthenticated attacker to access arbitrary system files using crafted HTTP requests. Now, attacks leveraging the bug increased 1,916% in Q1 2021. Even further, an April report from Kaspersky ICS CERT revealed that threat actors used it as an entry point into an enterprise network to deploy Cring ransomware.
Because SSL VPNs provide a virtual doorway into organizations, ransomware groups will continue to target these unpatched flaws until organizations take steps to reinforce these entry points by patching vulnerabilities in SSL VPN products.
Read the full report by Tenable Research.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More