Blackhat attacks on Webmin, Fortinet VPN, and Pulse Secure VPN servers

Updated on: 12 September 2019
Updated on:12 September 2019

The cyber-world never stays still for one second, and this is even truer for hackers. A couple of days ago, a hackers’ group managed to commit a very gruesome and dangerous attack. The danger comes from the fact that the targets are extremely important and sensitive systems.

Webmin, Fortinet VPN, and Pulse Secure VPN were the three victims of the hackers, and the method they used was simple – exploitation of previously publicized vulnerabilities. Using the exploit codes and technical details that were made public, they managed to assault real-world targets.

Phase one - CVE-2019-15107 or the Webmin backdoor

Webmin is a web-based utility for Linux and *NIX systems, and it’s a very important part of most people’s Linux systems. The attack took place a day after the guys at Webmin publicized news about a backdoor they’d discovered in one of their servers. It had lain dormant for a whole year before they managed to track its whereabouts.

Apparently, the server belonging to one of the Webmin developers had been corrupted and compromised by other malicious codes in the past. This is how this backdoor made its way into the system.

The good thing is – security experts around the world have already begun running scans to search for this vulnerability. At the DEF CON conference on digital security, one of the researchers went into more details related to this backdoor, which was then known as a mere vulnerability.

However, this still prompted people to be more vigilant, stirring the hornets’ nest in the meantime. Only when Webmin itself scanned their servers and discovered the backdoor could they truly understand the danger of what they had on their hands. It was a backdoor that allowed a hacker to completely hijack a Linux system, and perform any potential operation, including data theft, identity impersonation, blackmailing, and so on.

One threat Intel firm, Bad Packets, publicized an online report detailing the exact third-parties that are currently exploiting this backdoor. One of the parties is linked to the infamous botnet CloudBot, and this is even worse than we originally thought.

Webmin went ahead and strongly emphasized that their services were not inherently vulnerable to attacks. Instead, the backdoor had been installed by malicious coding, and they’ve already released a security patch that completely removes this backdoor. According to them, versions 1.882 to 1.921 are unsafe to use because they contain the malicious backdoor coding.

Update v1.930 was released not long after the discovery of the backdoor, and Webmin recommends that all users update as soon as possible. The heightened risks with CVE-2019-15107 lie in the fact that multiple exploit codes are public, and anyone can use them to manipulate Webmin services.

The existence of these exploit codes allow even the most unskilled hackers to hijack Webmin user systems. They are similar to gaming cheat codes where you simply use an unfair advantage to help you achieve your goals.

In particular, v.1890 is the most dangerous for Webmin system users because the hacker managed to fully integrate the backdoor into the mainframe of the service. With all other versions, the vulnerability cannot be used without exploit codes.

What makes matters worse is that approximately 29.000 users are using this version at present, says BinaryEdge. That’s 29.000 potential targets that hackers can instantly attack at any moment. The cherry on top of this rotting cadaver is that whoever accesses these servers receive a free pass into all the FreeBSD, Linux, and OpenBSD servers that those Webmin installs manage.

This means that the hackers would be able to assault and infiltrate millions of other servers. Just by simply hacking one of the 29.000 users with v.1890 of the Webmin server system.

In conclusion, all Webmin users should immediately update to v.1930 so they can prevent having their systems hacked.

Phase two - Fortinet VPN and Pulse Secure VPN assaults

These two VPNs account for approximately 530.000 active users who utilize their services daily, including important corporations and even a couple of Fortune 500 companies.

At a Black Hat security conference, one of the talks entitled “Infiltrating Corporate Intranet like NSA: Pre-auth RCE on Leading SSL VPNs” disclosed several vulnerabilities present in a series of enterprise VPN services. While there were more VPNs being mentioned in the talk, only two of those were actively targeted by the hackers.

FortinetVPN and Pulse Secure VPN’s vulnerabilities could be manipulated in the following way – a hacker would send unpatched Web requests with particular sequences of characters, and this would allow the hacker a certain degree of control over the end-user’s machine. This information comes from a couple of researchers at the Black Hat conference.

A skilled hacker using these vulnerabilities would manage to remotely execute malicious code in a user’s operating system or change specific passwords. Moreover, they would clearly be able to extract vital information from your device without needing to log in. This creates a series of critical problems, especially for companies that have sensitive information stocked on their servers.

Bad Packets is saying that the hackers behind this are running diagnostics over the internet, searching for people with vulnerable systems. Those using Fortinet VPN or Pulse Secure VPN are liable to be hacked, their passwords stolen. The hackers also use session files from the VPNs to fake other VPN sessions of their own.

Fortunately, both Fortinet VPN and Pulse Secure released security patches, the former in May, and the latter in April. However, it takes some time to install these patches, and you won’t be able to run the VPN services in the meantime. This might not mean anything to you as an individual user but to companies that have to halt their production lines, it’s an incredibly hard thing to do.

This is why there are still 14.528 Pulse Secure VPN endpoints that are vulnerable to being exploited. It will take some time before all users get to install the patches, and this period will be a harsh one.

The two VPN services represent the lifeline for many public and private institutions alike. We found out that Fortinet VPN and Pulse Secure VPN are being used by:

  • US military, state, federal or local government agencies
  • Key financial institutions
  • Public schools and universities around the world
  • Hospitals and several important health providers
  • Several Fortune 500 companies

Where are the attacks coming from?

Kevin Beaumont, an independent researcher, revealed that the Fortinet servers suffered attacks from the IP address 91.121.209.213. Upon further research, we found out that this IP address has long been discovered to be highly malicious, and many reported attacks originated from it.

Another attacking IP address came into the light after Ars Technica performed a scan with the BinaryEdge search engine. The IP address 52.56.148.178 has also started to distribute exploit codes related to the exact same vulnerabilities FortinetVPN suffers from.

CVE-2018-13379, as the vulnerability was dubbed, was fully weaponized by the hackers, with exploit codes flooding the internet as of late. We managed to track down two of them. The first one manages to pull off data from infected machines, while the second one only verifies if a device is vulnerable to hacking or not.

Pulse Secure VPN isn’t in a better situation either. Kevin Beaumont discovered that the attacks on their servers came from the IP address 2.137.172.2, while Troy Mursch, an independent researcher, discovered another IP address behind the attacks – 81.140.150.167.

In Pulse Secure VPN’s case, the vulnerability is called CVE-2019-11510, and the two IP addresses have a two-way plan of attack. First, they identify the existence of the vulnerability in the user’s system, and then they exploit it in a number of ways. The most common method is to extract vital data from the machine.

In an interview with Ars Technica, Troy Mursch said that “These scans are targeting endpoints that are vulnerable to arbitrary file reading leading to sensitive information disclosure of private keys and user passwords. These credentials can then be used to conduct further command injection attacks (CVE-2019-11539) and gain access to the private network allowing for further malicious activity.”

Mursch stated that the same IP address 2.137.127.2 that Beaumont to be attacking Fortinet VPN servers also targeted the Pulse Secure VPN servers. His honeypot server easily discovered these malicious IP addresses.

The danger of these VPN-based attacks stems from the critical aspect of the targeted component in a user’s machine. The software which the IP addresses target grants direct access to a user’s sensitive information and classified data. Magnify this by ten times because we’re dealing with organizations using these VPNs, and the danger becomes apparent.

The conclusion which both Fortinet and Pulse Secure representatives reached is that users must immediately patch their systems. They haven’t yet confirmed the findings of Beaumont and Mursch but given the background and experience of the two researchers, the IP addresses they’ve found are most probably at fault.

If you don’t want to become the next victim of a systematic and gruesome hacking attack, then we also suggest you install the latest Fortinet or Pulse Secure VPN patches.

Written by: Alex Popa

Content writer and technology enthusiast. Alex discovered his love for writing not long ago, one that deepens with each written article. Tech subjects are right up his alley, and as he strives to perfect his craft, even more, his journey through the cyber-world leads to many interesting topics that he approaches with the skill and passion of an avid learner. He’s decided to put his ability to good use and share any digital novelties he comes across.

Leave a Reply

Your email address will not be published. Required fields are marked *