Multiple ransomware gangs have weaponized and are abusing a zero-day in EntroLink Virtual Private Network (VPN) appliances after an exploit was released on an underground cybercrime forum at the start of September 2021. The zero-day is believed to impact EntroLink PPX-AnyLink devices, popular with South Korean companies, and used as user authentication gateways and VPNs to allow employees remote access to company networks and internal resources. An exploit targeting these devices was released last month, on September 13, 2021. The exploit, initially sold on another forum for $50,000, was released for free by the administrator of a newly-launched cybercrime forum in what appears to be a promotional stunt meant to raise the site’s profile among other cybercrime groups. According to the forum post, the exploit is still unpatched, exploits a network protocol, and grants remote code execution with root-level access to PPX-AnyLink devices. The post also describes the bug as an input validation issue and that the exploit is self-contained and only needs a few seconds to compromise a device. Since the exploit’s release, affiliates for the BlackMatter and LockBit ransomware operations have been linked to possible intrusions where this exploit might have been used, according to a researcher who is currently tracking and investigating ransomware attacks.
Analyst Notes
This exploit has not yet been patched and the company making the VPN devices did not engage with the researcher or return a request for comment by The Record. Organizations using EntroLink VPN appliances should update the devices as soon as a patch is made available and monitor for suspicious activity.
https://therecord.media/ransomware-gangs-are-abusing-a-zero-day-in-entrolink-vpn-appliances/
