Chinese hacker group APT5 targets Fortinet and Pulse Secure VPN servers

• Researchers have discovered that a Chinese state-sponsored hacker group known as APT5 is targeting Fortinet and Pulse Secure enterprise VPN servers.
• This group’s primary interest appears to be telecommunications and technology organizations, with an affinity for satellite communication firms.

APT5, also known as Manganese, is a group of Chinese state-sponsored hackers. They are exploiting vulnerabilities in Fortinet and Pulse Secure VPN servers to harvest files with password information or VPN session data.

What is happening?

• A subgroup of APT5 began scanning the internet in late August for Fortinet and Pulse Secure servers.
• The group is exploiting the CVE-2018-13379 vulnerability in Fortinet and the CVE-2019-11510 vulnerability in Pulse Secure. These vulnerabilities allow access to files on a VPN server without authentication.
• This enables APT5 to steal files with password information and VPN session data, with which they can take control of devices.

However, it is uncertain if the group was successful in taking control of devices using the stolen files.

What did Fortinet and Pulse Secure do?

Both the targeted VPN servers are highly popular in the market, with renowned organizations and government departments making use of them.

The issues were reported to both Fortinet and Pulse Secure in March by security experts at Devcore. Pulse Secure released a security patch in April, closely followed by Fortinet in May. But most organizations did not install the patches, with many of them being unaware that a patch was available. To assist their customers with applying the patch, Pulse Secure and Fortinet have taken various steps such as posting blogs and closely working with customers.

However, APT5 and other hackers are still able to harvest information from a lot of organizations, who are yet to install the security fix.

What should organizations do?

If your organization is using the VPN server of either Fortinet or Pulse Server, make sure the latest security patch is installed. This shields your network from not just APT5, but many other hackers who are looking for a vulnerability to exploit, and harvest data.