emPSN have been contacted by the UK CERT who has obtained and collated information from an open source – ShadowServer, which has identified hosts on the empsn network that are VPN Services using ISAKMP.  The information provided to us identifies the services which are ‘vulnerable.’

Methodology

Shadowserver are querying all computers with routable IPv4 addresses that are not firewalled from the internet with a specifically crafted 64 byte ISAKMP packet and capturing the response.

This scan is looking for devices that contain a vulnerability in their IKEv1 packet processing code that could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. More information on this issue can be found on Cisco’s site at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1

Alternative remote access solutions are available from empsn on network suppliers from a little as £25 per user per year, with no requirement for onsite devices.  We can offer a managed IPSEC VPN solutions for site admins, Leadership Teams, admin staff or the entire school if required.

We strongly recommend that system administrators regularly check for any potential compromise of the services accessible from the Internet.  If so a scan and clean of the servers should then be undertaken in order to remove any malicious software. Once this has been completed please act to reset all account passwords and any other accounts where the same or similar passwords are used.

Other Useful Links

• Malware removal – https://www.empsn.org.uk/2016/03/08/malware-removal/
• How to report cyber-attack – http://www.actionfraud.police.uk/
• Get Safe OnLine – http://getsafeonline.org/
• Cyber Streetwise – http://cyberstreetwise.com/
• Safer Internet Centre – https://www.saferinternet.org.uk/

If you would like more help regarding this or would like to discuss this information further, please contact support@empsn.org.uk