Ironically, companies that offer information security services are also exposed to malicious hackers; they’re even a great target. Experts from the National Cyber Security Center (NCSC) and the National Security Agency (NSA) have released a report warning about serious vulnerabilities in some of the most popular virtual private network (VPN) services.
The companies noted in the NSA report include Palo Alto Networks, Pulse Connect Secure, Fortinet, among others. According to the report, the vulnerabilities found in these companies’ VPN services are highly severe and could be exploited to access compromised devices.
Flaws exist due to some security weaknesses that allow threat actors to recover arbitrary files by exploiting the VPN, which includes documents that might contain login credentials. According to information security specialists, stolen access credentials could be used to establish a VPN connection and change its settings, as well as gain access to other parts of the compromised infrastructure. In addition, hackers could obtain the privileges necessary to run additional exploits targeting root access.
In their report, the security agencies recommend that users of these VPN services monitor their activity logs looking for any compromise indicators, especially in case the user has not installed the latest update patches. Agencies also recommend system administrators who suspect that someone may have compromised a deployment to revoke potentially exposed credentials, including user and administrator credentials.
Moreover, the companies involved have already been notified and their respective teams are working to implement the necessary solutions. “At Pulse Secure we are aware of these reports, we appreciate the work of the NCSC,” a company spokesman said.
In this regard, Fortinet published a statement mentioning: “The safety of our users is our top priority; we ask all of our customers to implement the latest software updates as soon as possible.” Finally, although Palo Alto Networks has not issued official statements, information security specialists from the International Institute of Cyber Security (IICS) claim that the company is already developing update patches to address vulnerabilities.