A group of Chinese state-sponsored hackers known as APT5 is targeting enterprise VPN servers from Fortinet and Pulse Secure after details about security flaws in both products became public knowledge last month.
https://twitter.com/campuscodi/status/1169569184600272896
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
We want to be very careful not to denigrate possibly innocent security companies. This is reminiscent of other hacks against RSA and Diginotar, where the fabric of trust is attached. However, life goes on; and we just learn and adapt collectively. The message to us all should be that security requires depth in planning and architecture: segmentation, assumption of compromise, good comms practices even when security is believed to be in place and so on. Further, we should be assuming compromise of controls and prevention failures and therefore hone our cyber capabilities: detection, hunting, behavioral monitoring and so on. Now all eyes are on the vendors to see how they handle their customers, their services and their responsibilities.
Hackers, both white hat and black hat, collect huge amounts of data on their targets. They have a passive understanding of the types of services and systems that their targets are running. When a vulnerability is made public (as with Pulse and Fortinet), researchers are able to search through their data and find targets with the vulnerable software running. This enables them to exploit these systems incredibly quickly.
However, a number of Pulse and Fortinet customers still haven’t installed patches that were released in April and May, respectively. In Fortinet’s case, they both failed to notify their customers of the flaw and make the subsequent patch accessible.
Pulse on the other hand, took the right action: they sent a security advisory to their customers and requested a CVE. Therefore, it seems the unpatched flaws in their servers lays with the negligence of their customers.Everyone, on both sides of the coin, has a responsibility for security: companies need to alert and advice their customers and, in turn, the customers need to heed this advice.