Patch Vulnerabilities in Remote Access and Remote Storage Now
The COVID-19 pandemic has seen a surge in the adoption of remote access solutions such as virtual private networks (VPNs), remote storage and cloud-based technologies in remote office scenarios. However, these solutions have also exposed a new attack surface to the Internet. In the past year, critical vulnerabilities were frequently discovered in different remote access products. Some of them had been exploited in the wild to launch various attacks, e.g. malware infection, ransomware, information leakage, etc. In addition, as some enterprises continue to use older versions of remote access products for stability reasons, this may increase the risks of vulnerabilities in older versions being exploited for cyber attacks.
One of the famous attacks targeting unpatched devices was the QSnatch malware first discovered in 2019. It targets QNAP Network-attached Storage (NAS) devices, and exploits its vulnerabilities to plant the malware and turn the device into part of a botnet [1]. Even though QNAP has released security patches to fix the exploited vulnerabilities, the related malware attack has continued. HKCERT has kept monitoring the situation in Hong Kong and notifying related parties for remediation. However, many affected QNAP NAS devices locally had still not been updated to fix the vulnerabilities.
HKCERT has published several security alerts on critical vulnerabilities in common remote access products, including Fortinet SSL VPN Vulnerability (CVE-2018-13379) [2], Citrix Application Delivery Controller Vulnerability (CVE-2019-19781) [3], and Pulse Secure VPN Vulnerability (CVE-2019-11510) [4] etc. Further exploitation of these vulnerabilities could allow attackers to gain access to the VPN network or other application protocols to seize control. At the same time, HKCERT has frequently discovered devices located in Hong Kong which are vulnerable to these vulnerabilities.
Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) released a joint cyber security advisory to name the top 30 vulnerabilities that have been routinely exploited over the world during the past two years [5]. Most of the vulnerabilities named in the advisory are exploited from remote access products, such as VPN gateway devices from various brands. The advisory findings were observations of HKCERT. Thus, it is foreseeable that attackers would continue targeting remote access products exposing to the Internet by exploiting vulnerabilities of the products.
HKCERT urges both individuals and organisations to stay vigilant, pay extra attention to remote access products’ vulnerabilities, and adopt the following preventive measures:
- Update the systems timely, monitor the vendor's official website or subscribe to HKCERT’s information security alert services for information on the release of the firmware update software;
- Change the administrator and user passwords regularly;
- Disable unused accounts and minimise the accounts’ privileges as possible;
- Disable unused protocol and applications, e.g. SSH, Telnet, Web Server, SQL server, phpMyAdmin;
- Avoid using default port number, e.g. 22, 443, 80, 8080, 8081, etc.;
- Restrict firewall policies and adopt the principle of default deny all traffic if possible;
- Enable system log function and trigger alerts when encountering abnormal situations; and
- Replace end-of-support software and hardware products with supported versions.
Reference:
[1] https://www.hkcert.org/blog/qsnatch-malware-prevention-and-cleanup
[2] https://www.hkcert.org/blog/patch-fortios-ssl-vpn-vulnerability-cve-2018-13379-immediately
[4] https://www.hkcert.org/blog/critical-pulse-secure-vpn-vulnerability-cve-2019-11510-alert
Share with