NCSC gives more advice for those using VPNs hit by Chinese cybercriminals

VPN
(Image credit: Shutterstock)

The National Cyber Security Centre (NCSC) in the UK has issued further advice to users of certain VPNs who were attacked by a Chinese state-sponsored hacking group (APT5).

As we reported last month, the VPNs in question were Fortinet and Pulse Secure, as well as Palo Alto VPN, and as we previously observed, patches were released for the security flaws earlier this year – although not all companies applied them, so remain vulnerable to exploitation by APT5 (or indeed other cyber-attackers).

Naturally, if you use these VPNs, hopefully you’ve already applied the relevant patch – but if not, obviously that should be an absolute top priority.

Following patching, however, the NCSC has outlined some further measures on detecting if you’ve been exploited, and additional mitigations.

The first point customers of these VPNs should action is to comb through their logs there any evidence of compromise – particularly if the aforementioned patches were only recently applied.

The organization further notes: “Administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.”

Further details on how to go forward with this are provided by the NCSC here.

System admins who suspect that any exploitation or hacking may have taken place should reset admin and user credentials which were at risk of theft, for obvious reasons.

Additional mitigations

The organization also details further mitigation measures for those who have detected exploitation of their VPN (or those who have been previously targeted by APT or indeed other cyber-attackers).

That includes instigating two-factor authentication for the VPN, if that’s available with the service, and to disable any functions (or ports) which aren’t used by the VPN. This is what’s known as reducing your threat surface, of course – if you don’t need stuff, it can be turned off, and therefore any possible exploitation of that particular functionality is therefore made impossible.

Furthermore, the NCSC observes that if you suspect exploitation has taken place on a device, but can’t pinpoint any evidence, it may just be safest to factory reset the device.

System admin should also continue to review logs for the VPN, and indeed all network traffic through the VPN, checking for red flags like connections from uncommon IP addresses.

And of course you should check VPN settings, as the organization advises: “Check all configuration options for unauthorized changes. This includes the SSH authorized_keys file, new iptables rules and commands set to run on connecting clients. If you have known-good backups of the configuration you can restore then restoring these may be prudent.”

The NCSC also reminds us that any current activity related to these threats to VPNs can be reported via the organization’s website.

  • We've also highlighted the best VPN services of 2019

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).

Latest in VPN Privacy & Security
Close up of PS5 DualSense controller leaning on a PS5
5 reasons your PS5 needs a VPN
Tor
What is Onion over VPN?
 In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still the best free VPN for streaming
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Panels at RightsCon 2025 during a press briefing about the latest Access Now report of internet shutdowns
2024 was the worst year on record for internet freedoms – again
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock