APT5, which is believed to be a state-sponsored Chinese hacking group, has been targeting the enterprise VPN servers sold by Fortinet and Pulse Secure, two enterprise cybersecurity companies. Some of these two companies’ customers failed to update their VPN servers in time, leaving them exposed to multiple security vulnerabilities that were disclosed at the Black Hat conference in August.
Unpatched Fortinet, Pulse Secure VPN Servers Affected
As reported by ZDNet this week, researchers from the security consulting firm Devcore unveiled multiple vulnerabilities found in VPN services, such as Palo Alto Networks GlobalProtect, Fortinet FortiGate (FortiOS) and Pulse Secure’s Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). The vulnerabilities included authentication bypasses, command injection, session hijacking and cross-site scripting.
The researchers told the vendors about the bugs ahead of time, so Pulse Security started sending patches to its customers in April, while Fortinet sent the patches in May.
However, as it happens with most software updates, not everyone updated their application clients immediately. This allowed the Chinese group to scan the Internet for the VPN servers that remained vulnerable and hack them.
Some of Fortinet’s customers said on social media that they weren’t even aware that the patches were available, pointing to a potential lack of communication on Fortinet’s part.
Pulse Security seems to have been much more active in trying to contact its customers about the vulnerability. A scan done in mid-August for the vulnerable servers revealed that about one-third (14,500 out of 42,000) of the Pulse Security VPN servers were still vulnerable. Two weeks later, 10,500 were still vulnerable.
Scott Gordon, Chief Marketing Officer at Pulse Secure, told ZDNet about the vendor's attempts to contact all of its customers:
"We not only issued a public Security Advisory - SA44101, but commencing that day in April, we actively informed our customers, partners and service providers of the availability and need for the patch via email, in-product alerts, on our community site, within our partner portal and our customer support web site.”
In addition, Pulse Security said that its support engineers have been available 24/7 to help customers apply the patches. Those who refused to update will now likely be at risk of having their intellectual property stolen and then handed over to Chinese competitors.
Who Is APT5?
According to FireEye, another cybersecurity company, APT5 has been active online since 2007. It’s believed that the group actually consists of several sub-groups, each with their own tools and tactics.
The group has been targeting primarily telecommunications and technology companies, as well as companies that do high-tech manufacturing and create military application technology. According to FireEye, APT5 uses malware with keylogging capabilities to target telecommunication companies' corporate networks, employees and executives.