Passwords & MFA Melting VPNs

Shivani Thopte April 27, 2021 Uncategorized

The VPN Meltdown

Throughout the March & April month, Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agent (CISA)  has reported numerous  incidents where old vulnerabilities in popular VPNs were exploited by organized (or state sponsored)   hackers, around the world.

Large numbers of malware families & malicious actors across the globe are on the spree of exploiting the old unpatched vulnerabilities in Fortinet as well as Zero-day in Pulse Secure VPN. 

The victims of the attacks are include sensitive segments like government agencies, Defense contractors & financial institutions amongst many others

The Impact

Digital Journal quoted Vinay Sridhara, CTO of Balbix Inc.,  “About 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users. 

“What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he added.

People shifting to remote working has  increased the demand for SSL VPNs, also the attack surface + available targets for APT groups and cybercriminals. 

Credential Compromise

The passwords form both the VPNs Fortigate and Pulse Secure are being compromised using different CVEs.

Many unpatched vulnerabilities form the recent past have allowed an unauthenticated attackers to compromise a vulnerable VPN server. The attacker able to gain access to all active users and their plain-text credentials. 

Attackers could also execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected VPNCVE IDDescriptionImpact
CVE-2019-5591Configuration vulnerability may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server, as default configuration does not verify the LDAP server Identity.Information Disclosure(password files & private keys)
CVE-2019-11510arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable  Pulse Secure VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commandsAccess to passwords
Vulnerabilities giving access to VPN credentials

2FA/MFA Bypass

Its common recommendation & best practice to have 2FA or MFA along with passwords for VPN. Its generally believed that if for some reasons passwords are compromised the VPNs are still safe due to additional factors.

But during these attacks, we have seen that both the VPNs also suffer MFA/2FA bypass vulnerabilities.  This makes the commonly followed best practice and recommendation of having 2FA/MFA pointless. 

Affected VPN CVE IDDescriptionImpact
CVE-2020-12812Improper Authentication vulnerability in SSL VPN 2FA in FortiOS, results in a user to log successfully without being prompted for the 2FA (FortiToken) if they changed the case of their username.Operational Risk, Improper Authentication2FA/MFA Bypass
SlowPulse Malware familySecrete Backdoor access allows hackers to disable or bypass 2FA/MA verificationBypassing single & multi-factor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells
Vulnerabilities allowing to bypass 2FA/MFA

EFFECTIVE SOLUTION: GO PASSWORDLESS

Passwords are by far the weakest link when it comes to security today. Successful attacks involve lost, breached or re-used passwords and we have seen that 2FA/MFA are of no help. 

You cannot avoid the patch but you can definitely avoid passwords & the 2FA/MFA solutions and go passwordless with much more ease and convenience.

Today, the smartest & the most secure way to sign In on any VPN or enterprise applications is by going completely passwordless.

With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods.

The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.

You can check out our integrations for other popular VPNs PaloAlto, OpenVPN.

REFERENCES

Share the post    
Previous Post
Online world majorly relies on passwords for access control and content security. Enterprises and individuals alike use passwords to keep sensitive information out of the wrong hands. However, enterprises are an extremely high value target for attackers and that level of attention cannot be handled by the humble passwords.  In this blog I will be […]
Read More...
FluBot is a banking malware that is specifically attacking Android phones and stealing bank details and passwords from your device. Like Covid-19, this malware has spread across a wide range of English speaking countries rapidly causing some irreparable damage.  FluBot uses “smishing” – phishing using SMS and text messages. These attacks have seen a huge […]
Read More...