Attacks against VPNs have seen a staggering rise in the first quarter of 2021, with one of them being associated with the cyberattack on Colonial Pipeline. Investigations revealed that the DarkSide threat actors had managed to gain an initial foothold into the network via a compromised VPN password, causing the loss of around 100GB of data and disruption to the fuel supply across several U.S. states. While the incident sheds light on the failure to provide an additional layer of security to VPN accounts, other concerning factors arise due to unpatched vulnerabilities.

Concerning factors

  • In a recent report, Nuspire revealed that attacks against Fortinet’s SSL-VPN had jumped to 1,916% in the first quarter of 2021. It was also identified that there was a 1,527% spike in attacks against Pulse Secure VPN.
  • Based on the data collected, malicious actors tried to abuse previously disclosed flaws to launch cyberattacks. Two highly targeted flaws included a path reversal vulnerability (CVE-2018-13379) affecting Fortinet VPN and a file distribution vulnerability (CVE-2019-11510) in Pulse Secure Connect VPN.
  • Both vendors issued patches for the flaws in their respective products a long time ago. Furthermore, security analysts have for some time been warning of threat actors showing high interest in these vulnerabilities.

A tab on recent VPN attacks

  • FireEye’s Mandiant cyber forensic team recently discovered four new malware tools that weaponized Pulse Secure vulnerabilities.
  • Tracked as Bloodmine, Bloodbank, Cleanpulse, and Rapidpulse, these tools were used by the UNC2630 and UNC2717 threat actor groups to establish persistence on devices connected to Pulse Secure VPNs.
  • The attackers used these tools to launch attacks against defense, government, technology, transport, and financial entities in the U.S. and Europe.
  • In a different incident, malicious attacks via a SonicWall VPN flaw were also reported in the first week of June.
  • In this case, threat actors exploited an old vulnerability (CVE-2019-7481) in the VPN to compromise older SonicWall SRA 4600 VPN devices.

What do these incidents indicate?

  • The key point is that if a VPN is vulnerable, threat actors will find ways to exploit and monetize it.
  • The stealthiness shown in patching the vulnerabilities gives an ample opportunity for adversaries to launch attacks against vulnerable endpoints. Once they are in, they can exfiltrate information and deploy malware.

Fix it to prevent attacks

In this COVID-19 era, as more organizations move their infrastructure, networks, and applications to the cloud, it makes everything accessible for users and attackers alike. Moreover, the major shift in remote work offers a lucrative chance for cybercriminals to conduct widespread scanning and exploitation against systems, with more unexpected trends to be observed in 2021. VPN remains one of the biggest targets to breach endpoint systems. Therefore, organizations should always be on alert to apply patches as soon as they are released by vendors.

Cyware Publisher