Sangfor Technologies and its customers have been a victim of a sophisticated targeted attack that leverages vulnerabilities within Sangfor’s SSL VPN equipment and its client agent. In response, Sangfor set up an emergency incident response team to immediately address this issue.
Within 48 hours of notification, Sangfor has completed a comprehensive security risk audit of our impacted solutions and released a repair patch for SSL VPN products. After installing the repair patch to upgrade the SSL VPN product, customers can automatically update and restore the compromised clients to block similar attacks. In addition to the repair patch, Sangfor has also launched a set of security solutions against this type of attack, including tamper-detection tools and malware removal tools, which customers can install and customize to their requirements, allowing eliminating security risks at multiple levels. Furthermore, Sangfor offers complementary incident response services for any customers who have suffered incidents as a result of this compromise.
Based on security analysis from Sangfor blue team, very few customers suffered from a set of sophisticated and targeted attacks by a coordinated team of attackers with advanced skillsets. A software vulnerability was found in the digital signature verification mechanism of SSL VPN clients. However, a successful attack must require administrative credentials to the SSL VPN devices, making this attack extremely difficult to replicate.
Sangfor’s analysis concludes that the majority of Sangfor SSL VPN customers have not been compromised. However, all customers with outdated patches should upgrade their systems accordingly.
Solution Guide for Existing Sangfor SSL VPN Customers
24/7 Expert Technical Support
Any existing SSL VPN customers have access to a 24x7 security service hotline. Most customers are encouraged to contact our online remote assistance to help in confirming their security posture. While we are confident that most of our customers have not been breached, we do offer an onsite incident response for those who have been compromised.
Here is the local number and TAC information in each region:
•Hong Kong & Macau & Taiwan +852-69701738
•Thailand: +66 (0) 6-0002-4050
•Malaysia:+ 60 163368835
•Indonesia: +62 856-4560-0296
•Philippines: +63 917-6899-911
•Singapore: +65 627-69133
•Vietnam: +84 0902037476
•Myanmar: +09 795409606
•EMEA: +971 585849698
Global Technical Assistance Center
For other regions/countries, you can contact the above Global Customer Service team. Also, affected users can also reach us by email: email@example.com.
Using Malware Removal Tools
Sangfor has released 32-bit and 64-bit system malware removal tools to help customers to eliminate the malicious files. If the equipment was confirmed to have been infected with malicious files through self-detection, please install the malware removal tools to eliminate the threat. Please contact Sangfor support by sending an email to firstname.lastname@example.org to download it.
Sangfor Endpoint Secure platform can also detect and kill the malicious file. Endpoint Secure users need only update the rule base version to 20200406135939 or above to remove the malicious Trojans across the entire network.
Advice for All Customers
Sangfor reminds our customers to follow best security practices, updating their critical servers and infrastructures to the latest software patch, using strong passwords and changing them frequently, validating and auditing your security controls regularly.
Sangfor, a worldwide leader in cloud computing, security, and infrastructure solutions, always put the security of our customers at the heart of our business strategy and will continue to carry out a comprehensive review of existing products and more stringent verification tests. We are committed to providing our customers with more secure products, services, and solutions.
For more information or media inquiries, please contact us at email@example.com.
Sangfor Technologies Inc.
April 07, 2020