Category: Credential Stealing

Overview

In our previous research blog Passwords & MFA Melting VPNS we had explained how vulnerabilities in Fortinet VPN are being exploited to harvest user credentials and bypass MFA implementations. 

The latest update from The Hacker News – 500K FortiGate VPN user credentials are available for free. Many instances of Fortinet VPN whose credentials are out there are not secure even if they have implemented MFA but not patched for CVE-2020-12812.

Self-Propelling cycle between leaked passwords & breaches

Old unpatched vulnerabilities of FortiGate SSL-VPN CVE-2018-13379 & CVE-2019-5591 are widely exploited to gain VPN credentials. These stolen Passwords are then shared on the dark web to fuel new breaches. This puts Fortinet in a self-propelling cycle of Passwords leaks & Breaches. 

The Incident

Fortinet through its PSIRT Blog has reported – Malicious Actor Discloses FortiGate SSL-VPN Credentials. Cybercriminals group “Orange” publicly leaked around 500K usernames and passwords of the Fortinet’s FortiGate SSL-VPN users from as many as 74 different countries. 

Worldwide estimated number of affected FortiGate VPNS is approximately 87,000 out of which India has the largest share of leaked credentials (11%) followed by Taiwan (8.45%), Italy (7.96) and then France (6.15%). 

What Enterprises can do?

Passwords are at the root of this unfortunate cycle. As long as enterprise applications & systems are using passwords to authenticate the enterprises will continue to be stuck in this cycle. 

The best solution is to #GoPasswordless with PureAUTH, which provides you with the most resilient yet convenient way to authenticate to FortiGate & other modern VPN’s and keep your enterprise unaffected even in the face of the worst possible credential breach.

The world was recovering from the jolt of Solarwinds, and we have this… face off with another supply chain attack shaking the world. This time it is Kaseya.

About Kaseya

Kaseya provides unified IT management softwares used by IT teams and Managed service providers (MSPs). VSA is their popular remote monitoring and endpoint management product which sits deep inside clients’ networks and has access + high privileges to almost all of enterprise assets.

What happened at Kaseya?

On 2 July 2021, Kaseya published a notification advising its customers and MSPs  to disable their on-premise Kaseya VSA servers immediately.

Also they announced that Kaseya had become the victim of a cyberattack & many of its customers & MSPs were affected by ransomware attack which exploited a 0 day vulnerability in VSA software.

Incident details

Very limited information of the attack & the 0-day vulnerability is out at this point in time, but many security companies studying the matter closely mentioned with high confidence that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.

This is corroborated by the CVE-2021-30116 disclosed by Kasea. The CVE is about credentials leak and business logic flaw for which the resolution was in progress, hence the details were withheld.

In its limited disclosure blog post Kaseya team published the following 7 sets of CVE.

• CVE-2021-30116 – A credentials leak and business logic flaw, resolution in progress.

• CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch.
• CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
• CVE-2021-30119 – A Cross Site Scripting vulnerability, resolution in progress.
• CVE-2021-30120 – 2FA bypass, resolution in progress.
• CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch.
• CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch.

Notable points

Out of the above listed 7 CVE’s  the 2 CVE-2021-30116 & CVE-2021-30120 are noteworthy, since they directly relate to authentication and bypassing the access controls.

We have seen such incidents with various VPN servers in the past, where attackers used vulnerabilities like CVE-2021-30116 to leak the system credentials. Leaked credentials were then stuffed to VPNs to gain unauthorized access.

The resistance posed by 2FA/MFA vanishes if you have vulnerabilities like CVE-2021-30120.
PureID has been consistently advising about the risk of having credentials on the server and its leakage due to various flaws or operational gaps. There has been drastic increase in 2FA/MFA bypassing attacks, which puts enterprises at grave a risk, as mentioned in Auth0 report

Conclusion

Just like previous high profile attacks like Solarwinds & Colonial Pipeline, we have another incident which involves Passwords & we have clearly seen that 2FA/MFA can be bypassed. 

No doubt we will continue to see more such attacks as long as business applications continue to use risky passwords and bypassable 2FA/MFAs.

Going passwordless can drastically reduce enterprise attack surface and makes systems more resilient.

Virtual Private Networks (VPNs) systems are widely used by enterprises to provide secure remote access to their employees. VPN allows for easy access to the infrastructure, but it also opens up the corporate network to the internet.

All VPNs use password-based authentication which is susceptible to various types of attacks. Many enterprises use 2FA to mitigate such risks. However, attackers can steal the keys and even 2FA may not be enough. Once the attackers are on the network, they have unrestricted liberty of action or decision: MITM attacks, Credential stuffing, and other attacks become viable.

In recent times of the pandemic, where work-from-home is the new normal, VPN hacks have become a headache for many companies’ security teams with severe consequences if they are successful.

Virtual private networks, No Longer Private

The point of a Virtual Private Network is to enjoy the encryption and security of local networks while not being at a remote location, through an encrypted tunnel, keeping intruders out. The point of VPNs becomes moot if the people you want to hide your data & resources from can actually access them by being in the tunnel with you.

Close to a thousand VPN servers were compromised and the credentials of users and admin accounts stolen by attackers. This allows anyone to login into these networks until these credentials are revoked.

While all the limelight is being captured by ransomware attacks these days, VPN hacks have been hitting headlines for a decade now. Data was stolen from Lockheed Martin in 2011, after the attackers gained network access through their VPN, using leaked SecureID tokens from RSA is one of many stories, we haven’t learned much from.

Another bone-chilling story; The attack on Ukraine’s Ivano-Frankivsk region was carried out by getting on the VPN network electrical infrastructure by using stolen credentials. This left half of the region without electricity for several hours.

Secure Authentication for VPNs

Learning from the above incidents; stolen credentials are a serious risk even for VPN and 2FA is not helping. Its also evident, in case a CVE is out there for your VPN, you should not avoid the patch but you can avoid passwords with much more ease and convenience. Going passwordless is a very effective way to provide secure & resilient authentication to VPNs.

Check out how Ajit accesses our Palo Alto GlobalProtect without passwords.

Our PureAUTH passwordless authentication platform integrates with all leading VPN solutions including Pulse Secure, Fortinet & Cisco AnyConnect. To know more you can get in touch with our team.

In the recent news by TechSpot.com we have learnt that Google was ‘forced’ again, this time by Evina Research group, to remove 25 credential stealing apps from its Android play store with 2.34 Million combined installations.

Out of the 25 listed applications, PureID Security Team analysed few, to learn modus-operandi of these apps.

Abstract of Technical Analysis

Analysis Details

Step 2 : Intercepting Facebook app invoke

Whenever a user launches the facebook app, Super Wallpaper Flashlight app detects it and launches http://m.facebook.com in a webview, thus making the user think facebook app needs credentials.

Step 3 : Credential harvesting

Once a user presents credentials to the facebook login page in the webview, Super Wallpaper Flashlight app uses malicious javascript to harvest those credentials. 

Step 4: Credentials exfiltration

Here is the code snippet to exfiltrate the harvested credentials to the hxxp://offer.airshop.pw site, which is an active website with mandarin characters indicating it as a Chinese website.

Step 5 : Quick analysis of  airshop.pw

The last our team checked the website, it was still active and 2 engines at virustotal flags it as a (malicious/benign) website.

Why is this case interesting?

Assuming the cost and efforts of setting up + distribution of in-mobile phishing apps versus web based phishing kits are similar, the in-mobile phishing attacks have higher success rates according to this decade old study and it still holds true. This effectiveness makes In-mobile phishing attacks more lucrative for attackers. 

Just like Facebook, we will be seeing credentials of Gmail, mobile-banking and other important applications being targeted.

Protection against credential stealing apps

Enterprises spend a significant amount of money, time and resources to train their employees to prevent phishing attacks. All the training modules focus on desktop/browser based phishing sites. Detecting in-mobile phishing attacks is very difficult even for a well trained person.

Going passwordless proves to be an effective solution in such cases, where user never needs to present any credentials to access enterprise services.

A word of caution here; choosing right type of passwordless solution becomes important as most of the passwordless solutions are designed to make desktop based applications passwordless and not mobile based apps.

Here is a simple demo of how PureAUTH makes GMail application passwordless.

Conclusion

In-mobile phishing attacks are getting mainstream. Going Passwordless is the best strategy to protect enterprise users from phishing attacks. PureAUTH covers you comprehensively on every surface and all devices.