Hackers mount attacks on Webmin servers, Pulse Secure, and Fortinet VPNs

Webmin server

To no surprise to anyone, hacker groups began exploiting publicly available vulnerabilities previously in the month, taking benefit of government technical information and demo code for launching assaults on real-world objectives.

Attacks were launched this week and targeted at Webmin, a web-based tool that manages Linux and* NIX systems, as well as VPN products for companies like Pulse Secure and Fortinet’s FortiGate.

Equally hazardous are all three kinds of assaults, as they target equipment in company networks that enable attackers to take complete control of the attacked systems.

The assaults on Webmin, Pulse Secure and Fortinet FortiGate this week were, without exaggeration, some of the worst in the year, not because of their quantity, but because of the sensitivity of their systems.

Webmin attacks

On Tuesday, one day after a significant backdoor news was released in Webmin, a web-based instrument used by system administrators to handle remote Linux and* NIX systems, the first of these assaults began.

After other actors of threats compromise a server belonging to a Webmin developer, the backdoor was hidden in the webmin source code for over a year before being discovered.

Scans for this vulnerability began after a safety investigator presented the vulnerability in more depth (later proved backdoor) at a DEF CON safety conference.

However, once the Webmin team confirmed the seriousness of this problem, the scans for Webmin servers became active exploitation attempts immediately.

Per threat intellectual company Bad Packets, several players presently use the vulnerability of Webmin. One of them is the owner of an IoT botnet called Cloudbot.


Webmin managers should upgrade to version 1.930, published last Sunday, to safeguard their systems against CVE-2019-15107 (RCE vulnerability / backdoor). Public exploit code exists for this bug, and even low-skilled threat actors make attacks trivial and simple to automate.

The Webmin team argues that over one million Webmin active installs are available on the internet. All variants of Webmin downloaded from Sourceforge between 1.882 and 1.921 are susceptible; in v1.890, however, the backdoor has been activated by default. BinaryEdge says that there are 29,000 Webmin servers linked to the Internet which run this version, representing a enormous attack surface.

In addition, compromises may also enable attackers to access all Linux, FreeBSD, and OpenBSD servers managed via these webmin installs, enabling assaults by attackers on millions of other endpoints and servers.

Pulse Secure and FortiGate VPN

But if it began bad this week, the attacks finished even worse.  By Friday, attackers were also exploiting a number of other vulnerabilities that were also reported during a safety meeting–at Black Hat this moment.

These vulnerabilities were covered in a lecture entitled “Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs,” which contained information about slew security bugs in various VPN products.

The attacks did not, however, target all of the VPN products described in the discussion. They only target two, namely the Pulse Secure VPN and FortiGate VPN from Fortinet.

It is more probable that the attackers used the technical information and the proof-of-concept code included in Devcore’s August 9 blog post as a starting point for the preparation of attacks.

This blog post contains information and demo code on multiple vulnerabilities in the two VPN products mentioned above. However, only two of those vulnerabilities have been identified, namely CVE-2019-11510 (Pulse Secure affected) and CVE-2018-13379 (FortiGate related vulnerabilities).

They are both “pre-authentication reads,” a sort of vulnerability that enables hackers to get files from a targeted scheme without authenticating.

The hackers scan the web for sensitive systems, and then retrieve system password documents from Pulse Secure VPNs and VPN session data from Fortinet’s FortiGate accordingly, and other Twitter scientists. With these two files in hand, attackers can authenticate or fake an active VPN session on machines.

In a weekend blog post, Bad Packets said there were nearly 42,000 Pulse Secure VPN systems, of which almost 14,500 were not patched online.

There are also patches for both products, Pulse releasing its patch in April and Fortinet releasing its patch in May, as are the hundreds of thousands of FortiGate VPNs, although we do not have an precise status of the amount of unpatched devices which are still susceptible to assaults.

In any event, owners of such systems should patch as quickly as possible. These VPN products are costly and can not be discovered in locations that generally do not need them, which generally means that they safeguard access to highly sensitive networks.

For instance, Bad Packets safety scientists recognized Pulse Secure VPNs on the networks:

  • U.S. military, federal, state, and local governments agencies
  • Public universities and schools
  • Hospitals and health care providers
  • Major financial institutions
  • Numerous Fortune 500 companies

The vulnerabilities are as serious as possible. Pulse Secure attempted to bring this problem to the fore by offering its clients a score of 10 out of 10 for the security bug, but four months on, many clients did not repair.

In addition, armed proof-of-concept code is now accessible freely online in several locations for both matters, including GitHub[ 1, 2].

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.