Hunting Attack Campaigns Exploiting VPN Vulnerabilities
This post originally available on Intelligent Response Encyclopedia (IRE) but it seems to be useful and be a good example as an experimental hunting use case, so I decide to publish here with new updates from National Cyber Security Centre.
According to Volexity’s article, CVE-2019-11510 was used to attack vulnerable Pulse Secure SSL VPN server in order to arbitrarily access VPN configuration and sensitive files. Exploitation phase involves sending off a crafted request, the following example shows the request with target filename (
/etc/passwd/) the attacker intended to read.
With this vulnerability, the attacker can access a VPN session database and credentials either hashed or in plaintext from the device’s cache. As described by National Cyber Security Centre, the threat actors have also used the same kind of vulnerabilities to target other VPN products. The exploits of these vulnerabilities are publicly online and can be identified with the following CVEs:
- Pulse Connect Secure:
- Palo Alto:
- CVE-2019-1579: Palo Alto Networks GlobalProtect Portal
No malware is identified in this operation.
Tactics, Techniques, and Procedures
The attack will conduct the following activities on their operation:
- Validating the existence of the vulnerability by trying to access
/etc/hostswith the exploit
- If the device is vulnerable, the attacker might try to access data on the following location:
- Users session database on
- Cached credentials on
- Hashed users credentials on
- Users session database on
- With the obtained credentials, the attacker can reuse the credentials to create a VPN tunnel and access the internal network
2-factor authentication will not prevent the hijacking of a valid authentication session.
Indicators of Compromise
See mroe on Network Indicators
Pulse Secure SSL VPN: CVE-2019-11510 and CVE-2019-11539
To efficiently gain the visibility required for this attack scenario, we need to enable a feature on Pulse Secure VPN to record unauthenticated web requests for hunting which isn’t turn on by default. This can be done via
System -> Log/Monitoring -> User Access -> Settings and select
When the unauthenticated web requests logging feature is enabled, we can identify the attack by focusing on request to the vulnerable path with an existing of a file name, for example, an attempt to access
/data/runtime/mtmp/lmdb/randomVal/data.mdb will look like this
info – [x.x.x.x] – System() – 2019/08/14 09:15:26 – VPN-Remote – Connection from IP x.x.x.x not authenticated yet (URL=/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/randomVal/data.mdb?/dana/html5acc/guacamole/)
If this request is identified, we can assume that the attacker already accessed an unknown amount of credentials and then can identify potential behavior that may relate to session hijacking by examining Pulse Secure VPN logs for suspicious changes of IP addresses.
2019-08-14 09:35:32 – PulseSecure – [188.8.131.52] DOMAIN\username – Remote address for user DOMAIN\username changed from 184.108.40.206 to 220.127.116.11. 2019-08-14 09:38:56 – PulseSecure – [18.104.22.168] DOMAIN\username – Remote address for user DOMAIN\username changed from 22.214.171.124 to ...
For CVE-2019-11539, we can identify an attempt to exploit the vulnerability by searching for requests to
/dana-admin/diag/diag.cgi with an options= parameter in the URL.
Fortinet: CVE-2018-13379, CVE-2018-13382, and CVE-2018-13383
To identify an attack, we need to make sure that the device is configured to log web requests. By the way, either firewall logs or netflow logs is also possible to identify the attack.
According to National Cyber Security Centre, When exploiting CVE-2018-13379, an attacker may download sslvpn_websession, which contains the usernames and passwords of active users. This file is typically at least 200 KB. Searching firewall, or netflow logs, for TCP sessions with 200,000-250,000 bytes from the SSL VPN device’s web interface port to the client, and a small number of bytes (less than 2,000) from the client, may return evidence of exploitation.
- Exploit for CVE-2019-11510 by Bishop Fox