Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

US Cybersecurity Agency CISA Alert: Foreign Threat Actors Continue to Target Unpatched Vulnerabilities

CISA warns that foreign threat actors from China and Iran are routinely targeting unpatched vulnerabilities across government agencies and U.S.-based networks.

Background

On September 14 and September 15, the Cybersecurity Infrastructure Security Agency (CISA) published two separate alerts detailing malicious activity from foreign threat actors:

  • AA20-258A: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
  • AA20-259A: Iran-based Threat Actor Exploits VPN Vulnerabilities

According to CISA, these foreign threat actors have been leveraging a number of unpatched vulnerabilities across a variety of networking devices and mail server software as part of a concerted effort to breach organizations. CISA has observed these attacks against federal government agencies and other networks based in the United States.

The table below contains the list of vulnerabilities mentioned in both alerts (with the exception of CVE-2019-11539, which appears only in AA20-259A):

CVE Product CVSSv3 Tenable VPR* Disclosed
CVE-2019-11510 Pulse Connect Secure 10.0 10 Apr 2019
CVE-2019-11539 Pulse Connect Secure 7.2 9.6 Apr 2019
CVE-2019-19781 Citrix Application Delivery Controller and Gateway 9.8 9.9 Dec 2019
CVE-2020-0688 Microsoft Exchange Server 8.8 9.8 Feb 2020
CVE-2020-5902 F5 BIG-IP 9.8 9.9 Jul 2020

*Please note Tenable VPR scores are calculated nightly. This blog post was published on September 17 and reflects VPR at that time.

The vulnerabilities in these alerts were disclosed between April 2019 and July 2020. These threat actors are banking on the fact that organizations are slow to apply patches on these devices.

Analysis

CVE-2019-11510, CVE-2019-11539: Pulse Connect Secure Vulnerabilities

CISA reports that foreign threat actors in China and Iran are exploiting flaws in Pulse Connect Secure, a popular commercial virtual private network (VPN) solution. These vulnerabilities were originally patched back in April 2019. However, they began to garner more attention after researchers Orange Tsai and Meh Change of the DEVCORE research team disclosed their findings for these vulnerabilities at the Black Hat and DEFCON conferences in August 2019. A proof of concept (PoC) was released for CVE-2019-11510, a pre-authentication arbitrary file disclosure vulnerability that is used to read sensitive information from the Pulse Connect Secure device, including configuration settings. Soon after the release of the PoC, reports emerged that attackers had begun to exploit the flaw in the wild.

The Iran-based threat actor referenced in AA20-259A is also utilizing CVE-2019-11539, a post-authentication command injection vulnerability in the Pulse Connect Secure administrative web interface that could allow an attacker to inject and execute commands on the device. Because CVE-2019-11510 is a pre-authentication vulnerability used to gather admin credentials, attackers are chaining it together with CVE-2019-11539 to gain a Secure Shell (SSH) shell on the vulnerable device with root privileges. Researchers Alyssa Herrera, Justin Wagner and Mimir published a blog post showing how this process works.

CVE-2019-11510 has become a popular tool in the attackers’ toolkit. In January 2020, reports emerged that the vulnerability had been used as part of the Sodinokibi ransomware attacks. CISA also included this vulnerability in its Top 10 Routinely Exploited Vulnerabilities alert in May as one of two vulnerabilities that were routinely exploited by foreign threat actors in 2020.

CVE-2019-19781: Citrix Directory Traversal Vulnerability

In December 2019, Citrix published an advisory for a directory traversal vulnerability in its Application Delivery Controller (ADC) and Gateway products. At the time, they did not provide a patch for the flaw.

A few weeks after disclosing this vulnerability, researchers began to observe attempts to exploit the flaw in the wild. Several researchers shared some technical information in blog posts detailing the flaw, which ultimately led to the publication of exploit scripts. Soon after, attackers began to actively exploit the vulnerability en masse while patches remained unavailable until one month after its initial disclosure.

Just like CVE-2019-11510, CVE-2019-19781 was also included by CISA in its Top 10 Routinely Exploited Vulnerabilities alert.

CVE-2020-0688: Microsoft Exchange Server Static Key Flaw

In February 2020, Microsoft published an advisory for a severe vulnerability in Microsoft Exchange Server that was initially mislabeled as a memory corruption flaw. The vulnerability, identified as CVE-2020-0688, is a static key vulnerability in a component of Exchange Server called the Microsoft Exchange Control Panel (ECP).

A detailed breakdown of the flaw was published on the Zero Day Initiative blog, which clarified that exploitation would require the attacker to obtain valid user credentials from the targeted Exchange Server. This requirement was deemed “not a big hurdle” by security researcher Kevin Beaumont, who noted that the availability of open-source tools can be used to scrape LinkedIn pages for employee names, which can then be leveraged as part of credential stuffing attacks.

At the time, Beaumont also noted that organizations were “averaging in the years rather than months behind” patching their Microsoft Exchange Servers. Clearly that has proven to be valuable for foreign threat actors who have leveraged this flaw as part of their attacks.

CVE-2020-5902: F5 BIG-IP Unauthenticated Command Execution Vulnerability

At the end of June 2020, F5 published an advisory for CVE-2020-5902, a critical command execution vulnerability in its BIG-IP family of products. The vulnerability exists in the BIG-IP Configuration Utility, referred to as the Traffic Management User Interface (TMUI). To exploit the flaw, the TMUI would need to be exposed through a BIG-IP management port or Self IPs.

Ben Goerz, a senior manager of counter-threat management at Kimberly-Clark, tweeted that default configurations of BIG-IP devices are vulnerable to CVE-2020-5902 due to the usage of Self IPs. A senior security engineer at F5 confirmed in a tweet that while BIG-IP versions 11.5.2 and prior use Self IPs by default, this configuration no longer applies in BIG-IP versions 11.5.3 and later.

At the time, researcher Nate Warfield identified over 8,000 publicly accessible hosts with management ports exposed. Soon after its disclosure, reports emerged that threat actors were actively exploiting CVE-2020-5902. This vulnerability has proven to be a valuable commodity for both cybercriminals and foreign threat actors.

Unpatched vulnerabilities are a boon for cybercriminals and threat actors

The Top 10 Routinely Exploited Vulnerabilities alert highlights an important point: Threat actors do not need to spend capital obtaining or developing zero-day vulnerabilities, or burn the ones they already have, when unpatched vulnerabilities remain a consistent challenge for organizations. This challenge is reinforced by easy access to publicly available PoC and exploit scripts that attackers can repurpose as-is in order to breach organizations.

In June 2020, the Australian Cyber Security Centre published a report titled “Copy-Paste Compromises,” which details a concerted effort by foreign threat actors to target governments and organizations by copy-pasting PoC and exploit script code. Both CISA alerts highlight the exact same challenge: Readily accessible PoC and exploit scripts, and the presence of unpatched vulnerabilities, make it that much easier for cybercriminals and foreign threat actors to breach governments and organizations across the world.

Proof of concept

All of the vulnerabilities identified in the CISA alerts have had public PoC code and exploit scripts available soon after they were publicly disclosed. For many of the CVEs, multiple PoCs and exploit scripts have been published. We have shared a small subset of these in the table below:

CVE Source URL
CVE-2019-11510 GitHub
CVE-2019-11510 GitHub
CVE-2019-11510 GitHub
CVE-2019-11539 GitHub
CVE-2019-19781 GitHub
CVE-2019-19781 GitHub
CVE-2019-19781 GitHub
CVE-2020-0688 GitHub
CVE-2020-0688 GitHub
CVE-2020-0688 GitHub
CVE-2020-5902 GitHub
CVE-2020-5902 GitHub
CVE-2020-5902 GitHub

Solution

With the exception of CVE-2019-19781, patches were made available for these vulnerabilities at the time the advisories were published. In the case of CVE-2019-19781, patches were not made available until one month after the initial advisory.

Please refer to the individual advisories below to determine which patch to apply for your specific device.

CVE Patch Information
CVE-2019-11510 SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
CVE-2019-11539 SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
CVE-2019-19781 Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance
CVE-2020-0688 Microsoft Exchange Validation Key Remote Code Execution Vulnerability
CVE-2020-5902 K52145254: TMUI RCE vulnerability CVE-2020-5902

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found below:

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.