The National Cyber Security Center (NCSC) has given further advice to users of certain VPNs attacked by a government-sponsored Chinese Hacking Group (APT5).
As we reported last month, the VPNs were in The issue was Fortinet and Pulse Secure and Palo Alto VPN. As we noted earlier, security patch patches were released earlier this year – though not all companies have applied them, they are still vulnerable to exploitation by APT5 (or other cyber applications) -attackers).
Of course, if you're using these VPNs, you'll hopefully have already applied the appropriate patch – but if not, this should obviously have top priority.
However, after patching, the NCSC has outlined this Further action to identify if you have been exploited and additional remedial action.
The first thing clients of these VPNs should do is search their logs to find signs of compromise ̵
The organization continues to note, "Administrators should also look for vouchers for vulnerable accounts that are actively used; For example, abnormal IP locations or times. "
For more details on how to proceed, refer to the NCSC here.
System administrators suspected of exploitation or hacking should, for obvious reasons, reset administrator and user credentials that were at risk of theft, introduce further mitigation measures for those who seek exploitation of theirs VPN (or those previously attacked by APT or other cyber attackers).
This includes initiating two-factor authentication for the VPN, if available with it, and disabling features (or ports) that are not used by the VPN. Of course, this is called reducing the threat area. If you do not need content, you can disable it, and therefore, it's impossible to exploit this specific functionality.
In addition, the NCSC states that this is not the case If you suspect that an explode has occurred on a device but no evidence can be found, it may be safest to reset the device to factory defaults ,
The system administrator should continue to check the protocols for the VPN and all network traffic. Check the VPN for red flags, such as unusual IP address connections.
And of course you should check the VPN settings as recommended by the organization: "Check all configuration options for unauthorized changes. This includes the authorized_keys SSH file, new iptables rules, and commands set to run on connected clients. If you have known backups of the configuration that you can restore, it may be a good idea to restore them. "
The NCSC also reminds us that all current activity related to these threats to VPNs can be reported through the organization's website.
- We also highlighted the best VPN services of 2019