NCSC gives more advice for those using VPNs hit by Chinese cybercriminals

VPN
(Image credit: Shutterstock)

The National Cyber Security Centre (NCSC) in the UK has issued further advice to users of certain VPNs who were attacked by a Chinese state-sponsored hacking group (APT5).

As we reported last month, the VPNs in question were Fortinet and Pulse Secure, as well as Palo Alto VPN, and as we previously observed, patches were released for the security flaws earlier this year – although not all companies applied them, so remain vulnerable to exploitation by APT5 (or indeed other cyber-attackers).

Naturally, if you use these VPNs, hopefully you’ve already applied the relevant patch – but if not, obviously that should be an absolute top priority.

Following patching, however, the NCSC has outlined some further measures on detecting if you’ve been exploited, and additional mitigations.

The first point customers of these VPNs should action is to comb through their logs there any evidence of compromise – particularly if the aforementioned patches were only recently applied.

The organization further notes: “Administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.”

Further details on how to go forward with this are provided by the NCSC here.

System admins who suspect that any exploitation or hacking may have taken place should reset admin and user credentials which were at risk of theft, for obvious reasons.

Additional mitigations

The organization also details further mitigation measures for those who have detected exploitation of their VPN (or those who have been previously targeted by APT or indeed other cyber-attackers).

That includes instigating two-factor authentication for the VPN, if that’s available with the service, and to disable any functions (or ports) which aren’t used by the VPN. This is what’s known as reducing your threat surface, of course – if you don’t need stuff, it can be turned off, and therefore any possible exploitation of that particular functionality is therefore made impossible.

Furthermore, the NCSC observes that if you suspect exploitation has taken place on a device, but can’t pinpoint any evidence, it may just be safest to factory reset the device.

System admin should also continue to review logs for the VPN, and indeed all network traffic through the VPN, checking for red flags like connections from uncommon IP addresses.

And of course you should check VPN settings, as the organization advises: “Check all configuration options for unauthorized changes. This includes the SSH authorized_keys file, new iptables rules and commands set to run on connecting clients. If you have known-good backups of the configuration you can restore then restoring these may be prudent.”

The NCSC also reminds us that any current activity related to these threats to VPNs can be reported via the organization’s website.

  • We've also highlighted the best VPN services of 2019

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).

Latest in VPN Privacy & Security
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still a stellar option for streaming
 In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still the best free VPN for streaming
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Panels at RightsCon 2025 during a press briefing about the latest Access Now report of internet shutdowns
2024 was the worst year on record for internet freedoms – again
Vector illustration of the word Censored in a glitch distorted style
Google, Apple, and internet restriction – how Big Tech is making censorship "much worse" according to experts
Latest in News
Vision Pro Metallica
Apple Vision Pro goes off to never never land with Metallica concert footage
Mufasa is joined by another lion, a monkey and a bird in this promotional image
Mufasa: The Lion King prowls onto Disney+ as it finally gets a streaming release date
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
An Nvidia GeForce RTX 4060 on a table with its retail packaging
Nvidia RTX 5060 GPU spotted in Acer gaming PC, suggesting rumors of imminent launch are correct – and that it’ll run with only 8GB of video RAM
Indiana Jones talking to a friend in a university setting with a jaunty smile on his face
New leak claims Indiana Jones and the Great Circle PS5 release will come in April
A close up of the limited edition vinyl turntable wrist watch from AndoAndoAndo
This limited-edition timepiece turns the iconic Technics SL-1200 turntable into a watch, and I want one