Ironically, companies that offer information security services are also exposed to malicious hackers; they’re even a great target. Experts from the National Cyber Security Center (NCSC) and the National Security Agency (NSA) have released a report warning about serious vulnerabilities in some of the most popular virtual private network (VPN) services.
The companies noted in the NSA report include
Palo Alto Networks, Pulse Connect Secure, Fortinet, among others. According to
the report, the vulnerabilities found in these companies’ VPN services are
highly severe and could be exploited to access compromised devices.
Flaws exist due to some security weaknesses
that allow threat actors to recover arbitrary files by exploiting the VPN, which
includes documents that might contain login credentials. According to
information security specialists, stolen access credentials could be used to
establish a VPN connection and change its settings, as well as gain access to
other parts of the compromised infrastructure. In addition, hackers could
obtain the privileges necessary to run additional exploits targeting root
access.
In their report, the security agencies
recommend that users of these VPN services monitor their activity logs looking for
any compromise indicators, especially in case the user has not installed the
latest update patches. Agencies also recommend system administrators who
suspect that someone may have compromised a deployment to revoke potentially
exposed credentials, including user and administrator credentials.
Moreover, the companies involved have already
been notified and their respective teams are working to implement the necessary
solutions. “At Pulse Secure we are aware of these reports, we appreciate
the work of the NCSC,” a company spokesman said.
In this regard, Fortinet
published a statement mentioning: “The safety of our users is our top
priority; we ask all of our customers to implement the latest software updates
as soon as possible.” Finally, although Palo Alto Networks has not issued
official statements, information security specialists from the International Institute
of Cyber Security (IICS) claim that the company is already developing update
patches to address vulnerabilities.
