View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 9, 2019

APT Actors Hitting UK Organisations via Trio of VPN Vulnerabilities: NCSC

"This activity is ongoing, targeting both UK and international organisations"

By CBR Staff Writer

Hundreds of British organisations are vulnerable to VPN attacks being launched by sophisticated Advanced Persistent Threat (APT) actors, who are actively exploiting vulnerabilities in a trio of commercial VPN products, the NCSC has warned.

The organisation, overseen by GCHQ, warned: “This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable.”

VPN Attacks Allow “Secondary Exploits Aimed at Accessing a Root Shell”

The warning last week comes three months after the US’s Department of Homeland Security highlighted the vulnerabilities in Fortinet, Palo Alto and Pulse VPN products, warning that “A remote attacker could… take control of an affected system”.

The highest-impact vulnerabilities known to be exploited by APTs are listed below, although this is not an exhaustive list of CVEs associated with these products.

Sample exploit code for these vulnerabilities is publicly available online. The NCSC cautions against testing infrastructure with untrusted third-party code.

The main CVEs being exploited are the following:

Pulse Connect Secure:


  • CVE-2018-13379: Pre-auth arbitrary file reading
  • CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user.
  • CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router.

Palo Alto:

The NCSC said: “Vulnerabilities exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials.A n attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.”

All three products have been patched by the vendors and the NCSC noted that simplest option to improve security is to “apply the latest security patches released by vendors”.

David Grout, CTO of EMEA at FireEye noted: “Organisations need to patch as soon as possible as these two vulnerabilities are already heavily exploited in the field and the exploits are available for download. The vulnerabilities were first presented at BlackHat in August this year and we have observed multiple campaigns exploiting them in recent weeks. Attackers can use the vulnerabilities to obtain access to VPN gateway accounts, which means they can change them or to get access to the victim’s networks.”

He added, in line with the NCSC’s advice: “In the meantime organisations should review all of their logs and look for abnormal activities on their devices. If possible, they should reset authentication on all impacted devices and I’d strongly encourage customers using these VPNs to deploy multi-factor authentication to limit password reuse attacks.”

See also: ASUS Issues Fix for Backdoor, Points Finger at APT, Downplays Severity of Compromise

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.