Many top Israeli organizations and entities failed to act following a double warning regarding a security flaw in some of the VPN servers they use, potentially enabling hostile players to obtain sensitive information, according to activist hacker Noam Rotem. Among the organizations named are government bodies such as the Ministries of Finance, Health, and Environmental Protection, Israeli defense contractor Elbit Systems Ltd., and private companies like Israeli telecom Bezeq and Israeli food manufacturer Tnuva Food Industries Ltd.
In April, there were reports of security vulnerabilities discovered in the VPNs of several manufacturers including Pulse Secure, Palo-Alto, and Fortinet. They enabled attackers to retrieve files and user information from the servers without needing authentication. Patches were released soon after.
On August 25, the Israel National Cyber Directorate published an urgent warning regarding the vulnerabilities, along with a recommendation that every organization that uses the relevant VPN software will download the patch or update immediately. The vulnerabilities exposed thousands of organizations in Israel to a potential hacker attack, the directorate said. Such an update only takes a few hours, but when Rotem tested various Israeli organizations a few days later, he found many who did not heed the warning.
“Some organizations did not fix the vulnerability, enabling any person with a browser to read files off the server’s operating system, including password files and user management files,” Rotem said. Those can then be used to reach the inner network, often less secured due to its reliance on authorized access, and in many organizations, they can also be used to gain access to employee email accounts, he said.
The list of organizations left vulnerable due to antiqued versions include the previously mentioned ministries, the University of Haifa, telecom Bezeq and Cellcom Israel Ltd., satellite television company Yes, car leasing companies Albar and Eldan, detergent company Sano-Bruno’s Enterprises Ltd., investment house Migdal Capital Markets, Excellence Investment House, insurance company Menora Mivtachim Holdings, investment and holding group Shlomo Group, IP communication company AudioCodes Ltd., real estate company Naaman Group, fashion retailer Castro, Tnuva, Israel’s national lottery Mifal HaPais, and advertising agency McCann Tel Aviv.
When the cyber directorate issues an urgent warning and the security officers of many organizations choose to ignore it, it is a serious matter, Rotem said. “Their only objective is to protect the information they hold. It is beyond negligence.”
Three of the companies—Sano, Shlomo Group, and Naaman Group—denied the vulnerability at first until Rotem presented evidence of information obtained using it. Sano then updated its comment to say the subject is being investigated. The company patched the software Tuesday at noon. Shlomo Group stated that it invests many resources in cybersecurity and immediately follows up on any relevant warning. In its initial statement denying the breach’s existence, Naaman Group claimed its cybersecurity system was updated last month. After being confronted with information obtained from its systems, Naaman confirmed the breach and stated it was just one case that involved a new computer with limited authorization, and that the issue was immediately fixed.
A spokesperson for Yes said the company acted immediately following the directorate’s warning and installed all relevant updates. The breach Rotem found was for a system set to go offline in the next few days that does not contain any sensitive information and cannot be used to access the inner network, the spokesperson said.
A spokesperson for Excellence said the vulnerabilities did not have anything to do with clients, and anyway were identified and fixed by the firm as part of its routine security checks.
Mifal HaPais said the directorate’s warning is being processed by a local supplier and will be fixed in the upcoming days. Rotem, however, estimated that such updates should not take more than a few hours.
Elbit has yet to respond to Calcalist’s request to comment.
A spokesperson for the finance ministry said the ministry routinely updates its information systems to keep them secure.
A spokesperson for the environmental protection ministry said the ministry complies with directives from the directorate, adding that the August warning did not mention a system used by the ministry. When a test run by the ministry for all devices showed a problem with one product, the ministry fixed the issue, the spokesperson added.
A spokesperson for the health ministry said it complies with directives from the directorate, and worked to update its systems immediately following the warning in August.
A spokesperson for Bezeq said the vulnerabilities were detected in a product developed by external cybersecurity manufacturers that work with the company, and that the company updated its version immediately following the warning.
Cellcom stated it routinely updates its cybersecurity systems.
Albar stated the VPN server flagged as vulnerable has been non-operational for two years and did enable access to the company’s systems, but was decommissioned permanently after the issue was discovered.
AudioCodes stated the vulnerability was discovered in a third party software and is being handled according to the manufacturer’s instructions. The company knows of no resultant damage, it said.
Castro stated it had learned of the problem a few days ago from an external security advisor and the patch has been installed immediately. Even if someone would have attempted to access the company’s systems via the breach they would have proved unsuccessful due to its cybersecurity measures, Castro said.
Eldan stated it has immediately fixed the vulnerability when it was made known.
Menora stated it had moved quickly to fix the problem according to the provided instructions and has made sure no data was compromised prior to the update.
Tnuva stated it has updated all its systems after assessing the situation.
McCann stated it follows stringent security protocols and commences cybersecurity sweeps regularly, and thus identified the vulnerability and fixed it immediately.