Southeast Asia: An Evolving Cyber Threat Landscape (Sep 5, 2019)
FireEye analysts have published their findings of malicious activity attributed to a Chinese state-sponsored group called “APT5.” The Advanced Persistent Threat (APT) group name, APT5, is an umbrella term that is used to refer to activity conducted by several subgroups that sometimes utilize “distinct tactics and infrastructure.” The APT5 attacks began in August and were observed to have been scanning the internet for Fortinet and Pulse Secure VPN servers. The objecting of this activity was to exploit two vulnerabilities in the two products, CVE-2018-13379 for Fortinet and CVE-2019-11510 for Pulse Secure. Both vulnerabilities are “pre-auth file reads” that can be exploited by an actor to access files on a VPN server without authentication.
Recommendation: APT actors conduct strategic operations to accomplish their objectives, therefore, attempting to exploit vulnerabilities in products used by a large number of users makes sense strategically. Amongst affected entities include Fortune 500 companies, government agencies, and technology organizations. These vulnerabilities were reported to Fortinet and Pulse Secure by Devcore analysts, and both companies were able to create patches. Fortinet released a patch in May (additional information here: https://fortiguard.com/psirt/FG-IR-18-384). and Pulse Secure released the update in April (additional information here: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101). This campaign depicts the importance of implementing a patch-maintenance policy to avoid potential malicious activity, especially since these vulnerabilities have been discussed in open sources.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.