Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.
There are many lessons that we all need to learn from these recurring incidents. This post is to uncover few points that we have seen have not been discussed by the info-sec community and the industry.
The Catch-22 – Phish or no Phish?
LastPass warned its users of an increased likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks against online accounts associated with their LastPass vault.
Password Managers getting phished is an alarming situation
This statement goes against what all the password managers like LastPass claims – “use of password manager protects users from phishing attacks“.
In their blog post, Lastpass reported that customer’s personal information like email, phone number, billing address, IP address have been compromised. That is not all, what LastPass has not talked about is the additional information they collect from their users using their mobile app.
The screenshots below show the permissions that Lastpass app takes on a user’s phone.
Permission take by LastPass app on an Android device
These permissions enable the application provider like LastPass (other password managers take similar types of permission on user’s device) to collect more information about the user than probably needed.
User Information collected by LastPass app
In case of a breach, like what happened with LastPass, the severity of the incident and privacy impatc will be more if any additional information collected from the user’s phone is also leaked.
The Passwords
Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors.
Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network.
While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of using secret key and Password Authenticated Key Agreement systems, which makes 1Password’s systems next to impossible to crack.
With the device specific keys mentioned by 1Password, we feel syncing of the passwords across multiple devices becomes a risky affair. Since passwords need to be decrypted on another device and it needs the user chosen master password as well as the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords (encrypted just with the user chosen master password), in transit.
Conclusion
After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are.
Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.
For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless
While password management companies are fighting with each other, the bottom line of major incidents in 2022 is – Passwords are the biggest risk even if you are storing them with Lastpass or any other password manager.
As industry is adopting Zero Trust Architecture, the time is right to #GoPasswordless. In this first blog of the year, we at PureID present 3 strongest points to make your organisation password free in this brand new year 2023.
Best Protection from Phishing & Social Engineering
We have seen Uber getting breached due to MFA bypass and social engineering attacks. Stored credentials stolen from Okta & Twilio were exploited by 0ktapus hacking group, triggering serious supply chain attacks with a blast radius extending to 130+ organisations.
In another incident, credentials phished from DropBox resulted in unauthorised access of 130+ github repositories.
A well designed passwordless authentication solution is a must if you are looking for authentication solution resistant to social engineering & phishing attacks
Zero Trust Access
When you are taking the next flight, you must appreciate the multiple checks that are carried out at the airport as part of Zero Trust Security Model. Not just the traveller’s identity is verified, but each and every piece of luggage you carry is checked for possible risk that can aboard the plane.
When a user authenticates to access an enterprise service or network, the traditional solutions stop at the user’s Identity verification. The risk coming from the connecting user’s device is not verified. In another incident involving Okta again, the customer support executive of Sykes, connected to Okta’s service portals with a compromised device, enabling the Lapsus$ Extortion Group to access and leak some details from Okta’s apps and system.
Most of the MFA, passwordless solutions, FIDO keys fail to provide the user’s device risk posture and hence provide incomplete security. Check how PureAUTH provides ZeroTrust Passwordless Authentication
Convenience meets Security
I couldn’t fix your break, so I made your horn louder – Steven Wright.
That is exactly how the industry approaches the pain of authentication. Since authentication using Passwords + MFA is painful, the applications are designed to provide session cookies that are valid for months. In recent incident with CoudSek, its employee’s Jira account was accessed with stolen session cookies.
With well designed Passwordless solutions, authentication becomes so convenient and smooth that enterprises can enforce shorter sessions and frequent authentication without putting users in any distress. The shorter session span reduces the risk of stolen cookies getting abused.
With the above points and a quick recap of last year’s incidents, we wish you all a safe & secure new year. Looking forward to be your partner in your #ZeroTrustJourney, for which the first step is #GoPasswordless.
With best wishes from PureID family, Happy New Year 2023…
Dropboxdisclosed a security breach on October 14th 2022, resulted due to Phishing Emails. The email was impersonating a third-party service used by its employees. The attack resulted in credential leaks of employees, which enabled the threat actors access to their Github accounts. The hackers stole the content from 130 repositories, consisting information about Dropbox employees, users, and vendors.
The Incident
Phishing campaign initiated by adversary targeted multiple Dropbox Employees. The emails were crafted to mimic communication from CircleCI , which is a Continuous Integration and Delivery Platform. The phishing link redirected users to a landing page where they were asked to enter their GitHub username and password.
CICircle Login page
On a fake GitHub page, the employees were requested their Hardware Authentication Keys to provide an OTP for 2 step authentication. Adversaries used these credentials to access some less secure repositories of Dropbox, containing some API keys, and customised tools.
Github Login Page
The adversaries are not traced yet, as they used VPNs to hide their tracks.
The incident details shared by Dropbox
The Impact
Dropbox breach is a direct result of phishing, which was not contained by 2FA or MFA solutions the firm normally has in place.
Furthermore, the laws of the United States allow authorities to have access to user data under Patriot Act and such, hence the firm can also store user information. In the past, there have been multiple instances at Dropbox where user data was compromised. However, in this particular case, the company is claiming that no core app code was compromised. For more details, visit here.
Previous Incidents
Dropbox is not the sole victim of brand impersonation phishing attacks. Earlier, other organisations such as Sony Pictures, BenefitMall, and JP Morgan Chase have fallen victim to the same. Furthermore US Power grid and John Podesta are also highly notable examples of Phishing Attacks.
IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organisations an average of $4.65 million. Phishing using brand impersonation is becoming quite popular as well. LinkedIn is used for this purpose 52% of the time, while DHL, Google, Microsoft and FedEx also hold a considerable proportion of it. You can find more about the stats here.
Mitigation
Millions of phishing emails are sent daily. Many spam mails slips through spam filters and when that happens, you must be able to rely on your employees to stay vigilant and act responsibly. That is the reason why many companies opt for Employee Awareness Training Plans.
When training campaigns cannot keep pace with the new trends, and URL-checking anti-phishing measures is proving to be far more intrusive. The best option right now is to switch to Password-less Systems with Zero Knowledge Encryption.
With PureAuth Password-less authentication, you can effectively mitigate the risk of having your password compromised by phishing and a number of other methods.
Feel free to explore further blogs by us related to Phishing and Github . Stay safe. #Gopasswordless
PureID’s passwordless authentication platform PureAUTH, is a cloud based Single Sign On (SSO) solution. PureAUTH uses certificates (digital signatures) provided by an organisation, to uniquely identify its users, in a secure way.
PureAUTH can be used as a secure, cryptography or certificate based alternative to Passwords and Two Factor (2FA) or Multi Factor Authentication (MFA) solutions, as prescribed by various standards.
Traditionally, applications authenticate users using passwords. For additional security along with passwords, 2FA or MFA are also sent to application on the same channel. This authentication method is found to be vulnerable to phishing and other man in the middle attacks. An adversary can trick users to share passwords and 2FA/MFA token, on a phishing page and use it to impersonate user, and gain unauthorised access to the application.
Traditional systems use same channel for authentication & application access
PureAUTH provides a secure alternative to passwords and 2FA /MFA based authentication. Organisation’s user is provided with an AuthVR5 authenticator app which holds cryptographic keys, certificates (digital signatures), seeds (for generating Pseudo Random token), which are unique for every user.
AuthVR5 sends out of the channel authentication request, directly to the PureAUTH server which consists of user’s certificate and one time token which is bound to the user’s session with the application.
PureAUTH uses out of channel authentication with non reusable token & certificate
Since the authentication request is sent out of the channel, the data in the request cannot be obtained by phishing, neither it can be used for any other session apart from the one it was generated for.
NOTE :
The authorisation & session management remains unaffected by introduction of PureAUTH. The user authentication security is enhanced by PureAUTH with the use of certificates (digital signatures), extensive logging, and risk assessment of user’s device, from which the application is being accessed.
Standards around User Authentication & Access Control
PureAUTH provides the required controls and complies with recommendations of various Industry and Regulatory standards, for user authentication and access control. Few widely used standards that PureAUTH complies with are as follows –
ISO/IEC 27001 is the world’s best-known and widely exercised standard for Information Security Management Systems (ISMS). The annexure A, section 9 of ISO/IEC 27001, is all about access control procedures. The aim of Annex A.9 is to safeguard access to information and ensure that employees can only view information that’s relevant to their work.
Annexure A 9.4.2 Secure log-on Procedures
From Annexure A.9, we are focusing on section A 9.4.2, according to which
Access to systems and applications must be controlled by a secure log-on procedure to prove the identity of the user. This can go beyond the typical password approach into multi-factor authentication, biometrics, smart cards, and other means of encryption based on the risk being considered.
Secure log on should be designed so it cannot be easily circumvented and that any authentication information is transmitted and stored encrypted to prevent interception and misuse.
How PureAUTH helps with Annexure A 9.4.2
In this section we answer a few relevant questions that are part of ISO 27001 Standard’s questionnaire form, that can help our customers applying for similar standards.
ISO 27001/2 STANDARDS
Why it is needed
How PureAUTH helps
Do you adopt multi factor authentication (MFA) for secure user access?
Makes access controls more robust and enhances their effectiveness to verify a user’s identity.
Yes, PureAUTH is an authentication solution that uses multiple factors like cryptographic signatures & device fingerprints to securely identify user
Do you give all users unique login credentials?
Ensures that nobody can log on to the system without uniquely identifiable credentials.
Yes, the certificate or digital signatures are unique for every user and device fingerprint is unique for every device
Do you enforce the secure use of passwords and verify a person is the one claimed?
Strengthens unique network login credentials with context-aware access restrictions and user reminders which help verify that a person seeking access to the network and the information within is genuinely who they say they are.
Not Applicable for PureAUTH, as it is a passwordless authentication solution that uses cryptographic keys, certificates (digital signatures) to identify user
Do you restrict users from sharing logins?
Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices.
Yes, PureAUTH uses digital signatures embedded & paired to user’s personal device secured by further layer of device based authentication. This makes sharing of signatures with other user and using it from another device impossible.
Do you restrict network access on a job-role basis?
Enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job.
Yes, PureAUTH supports policy based regulation of user access that considers user’s role, device risk and sensitivity of the application being accessed
Do you review network access for employees who change roles in the organisation?
Enables administrators to easily change access rights (permanently or temporarily) for individual users groups of users or organisational units.
Not Applicable, Authorisation is managed outside of the scope of PureAUTH
Do workstations automatically log users off the network following a period of inactivity?
Automatically logs off a session after a specific length of idle time to prevent unauthorised users accessing information from unattended workstations. What’s more UserLock can set authorised time frames for certain users’ access and force workstations to log off outside these hours.
Yes, PureAUTH supports Single Log Out (SLO) and respects the session timeouts enforced by respective applications
Why Choose PureAUTH
PureAUTH passwordless authentication solution is not only compliant with all leading (and upcoming) industry and regulatory standards, but is also the most secure authentication and access management platform. Some of its advantages over traditional Passwords & Multi Factor Authentication solutions are as follows
Risks
PureAUTH
Passwords + MFA
Phishing
Unaffected by Phishing
Vulnerable to Phishing attacks
Social Engineering
Unaffected by social engineering or insider attacks
Vulnerable to Social Engineering
Account Sharing
Not possible, compliant
Account sharing is possible
Admin/Tech Support
Completely self serviceable. No admin assistance or tech-support needed
Dependency on Admin, tech support for resetting of passwords and MFA device
Conclusion & further support
Just like Passwords and Two-factor or Multi Factor authentication systems, PureAUTH Passwordless authentication solution can be used to ensure secure access to the most sensitive information systems, applications, and programs like Engineering & Dev-Ops resources, security systems, VPNs, PAM solutions, SaaS services, cloud consoles, communication suites, CRM solutions etc.
For further information on compliance & certification, you can visit https://trust.pureid.io
The Security team of Jenkins announced 34 zero-day vulnerabilities in 24 of its plugins, which has rocked the world. The vulnerabilities range from XSS, stored-XSS, to passwords and token disclosures. The list of vulnerable plugins and overview of their impact can be found in this Bleeping Security article.
Jenkins 0 Days and its Impact
The various Jenikns’ plugins have varying impacts. Based on what plugin your organisation is using, it may see varying degrees of risk to its Jenkins setup and can result into compromise of its supply chain.
Here we are listing few common vulnerabilities and their impacts
Applying patches is the best and recommended way to fix vulnerabilities. In this incident, Jenkins is yet to provide fixes for many of the vulnerabilities and still remains a potentially risky, zero-day candidate.
Shodan project lists more than 150,000 sites running vulnerable Jenkins.
In absence of patches, disabling the vulnerabile plugins is the best option from the security side, but disastrous if it affects the organisation’s engineering processes.
In such cases we always recommend strong Passwordless authentication. Absence of credentials make most of the attacks irrelevant even in the presence of vulnerable plugins.
Better prepare for 0 Day attacks
You cannot stop 0-day attacks and cannot predict them coming. What helps is sticking to security basics and best practices. Other proactive things an organisation can do is to adopt Passwordless Authentication for its entire Software Engineering infrastructure.
Passwordless solutions like PureAUTH also contain the impact of session takeovers arising from token theft with the use of XSS, by enforcing convenient but regular logins.
Making your Software Engineering Infrastructure passwordless can contain the impact of 95% of such 0-day vulnerabilities without any security configuration change.
A critical vulnerability in Citrix’s Application Delivery Management (ADM) technology was reported & patched this week.
Tracked with CVE-2022-27511, Citrix reported that, if left unattended, exploitation of the vulnerability could enable remote attackers to reset admin passwords. (reference: Citrix ADM vulnerability)
Overview
Citrix ADM is a virtual appliance, that gives centralized management solution. It simplifies operations by providing administrators with enterprise-wide visibility and automating management jobs that are getting ran across multiple instances.
Citrix ADM is known to ship with a built-in admin account nsroot, with default credentials nsroot (reflecting its legay of NetScaler).
As a best practice, admins change the default passwords to restrict unauthorised access.
Citrix has documented various means to restore default admin password by resetting ADM node.
With the exploitation of CVE-2022-2751 vulnerability, an adversary can force Citrix-ADM to restore the nsroot account’s default credentials as a recovery measure from a system corruption, on the very next reboot.
The Problem
Right from network gears, management consoles, virtual appliances we have seen all systems being shipped with a root account with default credentials.
We have also witnessed that system restore option resoters the default credentials even if admins change them for security reasons.
This has been an industry standard practices from ages. With more options for authentication and evolving threat landscape its time industry should also evolve and change the way factory-default-restores support more secure (or hard to exploit) options.
Here are a few learnings from suh incidents that we can draw & work for better securing our systems.
Lession 1 : Restrict Remote Access by Default
By default remote access to admin accounts of devices/appliances should be restricted. Since restoration of default credentials at any time will make system vulnerable to unauthorised access.
Disabling the remote access as part of default setting triggered with restoration of default passwords can restrict the possibility of exploitation by a remote / external threat actor to a great extent.
This we can see very commonly in Ubuntu, a debian based system.
Extracts from /etc/ssh/sshd_config file from a Ubuntu 22.4
Lesson 2 : Federate Authentication
Its always better to maintain credentials at a centralised location. This consolidates and optimise the efforts to securely manage and protect them. This also reduces or eliminates the need for restoring the default credentials of devices.
Down side of this being the centralised credential store becomes a single point of failure for all your systems and appliances in your network. This leads to our third and final learning.
Lesson 3 : Eliminate Passwords
Moving away from password based authentication drastically reduces the attack surface of any enterprise. You can choose PKI / certificate based authentication for better security.
Adopting passwordless authentication goes long way in protecting your systems from unseen future vulnerabilities which might be triggered due to use of passwords or default credentials.
PureAUTH Identity and Trust Platform
Citrix ADM incident CVE-2022-27511 is an another example of the risks associated with passwords. Eliminating passwords using a true passwordless solution like PureAUTH protects organisations from future, unforeseen vulnerabilities.
To learn more, about how PureAUTH is used by various organisations to secure access to their assets and Build Trust in all relevant user actions, schedule a demo with us.
You must be familiar with IaC (Infrastructure as a Code). If not, Stackify has a very good primer on this topic. Code Infrastructure (CIx) simply involves all the tools and systems involved in the Software Development Life Cycle (SDLC process) of an organisation.
Recent supply chain attacks makes it evident, that adversaries world over are targeting the CIx (in other words SDLC tools) of the global software manufacturers. This write up will briefly explain various attacks on Code Infrastructure (CIx) components with the references of some recent supply-chain incidents.
What Is Code Infrastructure (CIx)?
Code Infrastructure (CIx) comprises of all the distributed applications / systems & artefacts that are involved with or result of each and every step involved in the Software Development Life Cycle (SDLC process). Here is how Code Infrastructure of a typical software engineering organisation looks like –
Components of Code Infrastructure (CIX)
Engineering Environment (developer machines and local repositories)
Code Management tools (version control systems, git* or Bit Bucket)
Code Auditing tools (code scanners etc)
Build Systems (build platforms like Jenkins, CICD pipelines)
Code Attestation (Key vaults used for code signing)
Package Distribution Systems ( popular tools like Jfrog)
Deployment Platforms (Cloud services, PaSS/SaaS)
Threats to your Code Infrastructure
CIx presents a vast attack surface which is not often properly secured. This is evident In all the recent supply chain attacks that we have witnessed. We have seen all the attacks targeted to one or more CIx components.
Incident
Target & Method
Reference
Target – Build Systems Method – Insertion of untrusted code
It becomes very crucial for enterprises to pay attention to their CIx and secure the attack vercorts applicable for each of these components.
Attacks on Code Infrastructure, SDLC Tools
How to secure CIx?
The majority of attacks we have seen are due to exploitation of the Identity & Trust framework. In all the cases Identity was managed by conventional passwords and MFA/2FA. The trust breach happened due to leaked signing keys (private keys), access to which was not properly secured.
In the case of Solarwinds we can also see that the build systems built and distributed untrusted code. This happened due to the absence of a Trust framework which can automatically verify that the code being built is a work of a verified/trusted engineer and not a malicious actor.
The careful study of all supply chain attacks in recent times clearly shows the industry needs to move to a better Identity & Trust framework. We need better Identity management to control access to our CIx resources and robust Trust Framework to verify sanctity of the deliverables at each and every level in software engineering, both pre & post built.
PureAUTH Identity & Trust Platform
PureAUTH provides a breach resilient Identity & Trust Platform using its innovative Zero User Data Initiative (0UDI).
To learn more, how PureAUTH is used by various organisations to secure access to their CIx resources and Build Trust in all relevant user actions, schedule a demo with us.
Many Avenger fans would have felt frustrated when they were not able to view the latest Hawkeye series 4th episode when Disney+ was down due to an AWS outage.
Hawkeye disrupted due to Disney+ outage delivered by AWS
The outage also affected the competitor of Disney+ thats Netflix. Condesk, Tinder, Roku and many other services depended on AWS backbone were out last tuesday “US-EAST-1 region” as mentioned by Amazon.
Not just the entertainment providers but Google, Venmo, DoorDash, Spotify, multiple banks and airline were also affected. The list goes on and shows how bad such outages could be.
25 Nov 2020 & 8th Dec 2021
Similar outage was seen last year, on 25th of November when 24 different AWS regions were down affecting many web services Roku, Adobe, Shopt, a delivery company backed by Target.
Incident graph for AWS outage on 7th Dec 2021 source – DownDetector
Outages in the past
The outage of public cloud service provider is not just an Amazon thing. We have seen Fastly one of the biggest CDN (content distribution network) going down for hours in June 2021
Though for a short span, Akamai also faced a disruption in July 2021, on its Edge DNS service, and it took down platforms such as Zomato, Paytm, parts of Amazon, Airbnb, PlayStation Network, Steam, Disney+Hotstar.
Source https://build5nines.com/
In a more disrupting event, Microsoft Azure AD service was down for 14 hours in March this year. This event was 6 months after Azure AD went down blocking access to Azure, Teams, and more over a span of September 28 & 29, 2020
Conclusion
Industry adopted cloud for better availability and redundancy. CDN companies became the backbone of the internet world wide assuring instant delivery of content and services. As we are seeing the repeated instances of cloud giants going down, this seems to be becoming a new normal.
At PureID what we have learnt is having High availability of a service through a cloud solution provider is not enough, we must provide redundant High Availability clusters with more than one cloud service provider. This may not be a feasible option for many enterprises as spreading data across multiple providers may have its own compliance and governance implications apart from the increase in cost and management overheads.
This is exactly where PureID emerges visionary and a leader as it can deliver its authentication services hosted across multiple public cloud vendors without any compliance or governance worry.
No data, no theft & No-PII so no worries, #GoPassworldess with PureAUTH.
Atlassian is a globally popular provider of software development and collaboration tools. Jenkins, an open source automation server has more than 200,000 deployments. Both are being actively attacked due to recently disclosed vulnerabilities CVE-2021-26084 & CVE-2021-39124 in Atlassian products, as they are used in conjunction at many organisations. These security issues pose a serious threat of snowballing into another supply chain attack in 2021(2022?).
Attacks on Atlassian
Check Point Research (CPR) discovered many flaws in Atlassian’s Jira which would allow the attacker to take over a user’s account just by a single click. These security flaws would allow an attacker to perform cross site scripting attacks, CSRF attacks or session fixation attacks. The attacker could gain access to user accounts and acquire confidential information. CPR also found out that once a Jira account was taken over, it was possible to take over the Bitbucket account as well. Atlassian’s Bitbucket which is used by millions was also under this threat. The attacker could have had access to an organisation’s Bitbucket repository which would prove to be detrimental.
Attacks on Jenkins
Jenkins recently discovered a successful attack against its Atlassian Confluence service using CVE-2021-26084. Confluence integrates with Jenkins’ integrated identity system which also powers Jira, Artifactory, and numerous other services. They had to take their affected server offline and reset all the passwords.
Passwords at risk, are risk for Businesses
Patching for CVE-2021-26084 & CVE-2021-39124 should fix the problem, but it is assumed that due to mass exploitation many organisation’s passwords are being compromised. Patching the servers will solve half of the problem. The other half of the problem which will have a massive impact on the masses is resetting the credentials.
Post incident panic and downtime, cost & support needed to reset passwords can be avoided by going passwordless. This also helps in a big way to stop such vulnerabilities triggering supply chain attacks.
Making Atlassian & Jenkins Passwordless
PureAuth provides a passwordless way to authenticate which eliminates the risk of attacks when compared to an authentication method that uses passwords. The video below demonstrates passwordless authentication to Atlassian using PureAuth.
Throughout the March & April month, Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agent (CISA) has reported numerous incidents where old vulnerabilities in popular VPNs were exploited by organized (or state sponsored) hackers, around the world.
Large numbers of malware families & malicious actors across the globe are on the spree of exploiting the old unpatched vulnerabilities in Fortinet as well as Zero-day in Pulse Secure VPN.
The victims of the attacks are include sensitive segments like government agencies, Defense contractors & financial institutions amongst many others
The Impact
Digital Journal quoted Vinay Sridhara, CTO of Balbix Inc., “About 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users”.
“What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he added.
People shifting to remote working has increased the demand for SSL VPNs, also the attack surface + available targets for APT groups and cybercriminals.
Credential Compromise
The passwords form both the VPNs Fortigate and Pulse Secure are being compromised using different CVEs.
Many unpatched vulnerabilities form the recent past have allowed an unauthenticated attackers to compromise a vulnerable VPN server. The attacker able to gain access to all active users and their plain-text credentials.
Attackers could also execute arbitrary commands on each VPN client as it successfully connects to the VPN server.
Configuration vulnerability may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server, as default configuration does not verify the LDAP server Identity.
Information Disclosure(password files & private keys)
arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable Pulse Secure VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands
Access to passwords
Vulnerabilities giving access to VPN credentials
2FA/MFA Bypass
Its common recommendation & best practice to have 2FA or MFA along with passwords for VPN. Its generally believed that if for some reasons passwords are compromised the VPNs are still safe due to additional factors.
But during these attacks, we have seen that both the VPNs also suffer MFA/2FA bypass vulnerabilities. This makes the commonly followed best practice and recommendation of having 2FA/MFA pointless.
Improper Authentication vulnerability in SSL VPN 2FA in FortiOS, results in a user to log successfully without being prompted for the 2FA (FortiToken) if they changed the case of their username.
Secrete Backdoor access allows hackers to disable or bypass 2FA/MA verification
Bypassing single & multi-factor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells
Vulnerabilities allowing to bypass 2FA/MFA
EFFECTIVE SOLUTION: GO PASSWORDLESS
Passwords are by far the weakest link when it comes to security today. Successful attacks involve lost, breached or re-used passwords and we have seen that 2FA/MFA are of no help.
You cannot avoid the patch but you can definitely avoid passwords & the 2FA/MFA solutions and go passwordless with much more ease and convenience.
Today, the smartest & the most secure way to sign In on any VPN or enterprise applications is by going completely passwordless.
With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods.
The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.
You can check out our integrations for other popular VPNs PaloAlto, OpenVPN.
