VPN Attacks: A Rising Threat for Remote Work in the COVID-19 Era

Concerning factors

• In a recent report, Nuspire revealed that attacks against Fortinet’s SSL-VPN had jumped to 1,916% in the first quarter of 2021. It was also identified that there was a 1,527% spike in attacks against Pulse Secure VPN.
• Based on the data collected, malicious actors tried to abuse previously disclosed flaws to launch cyberattacks. Two highly targeted flaws included a path reversal vulnerability (CVE-2018-13379) affecting Fortinet VPN and a file distribution vulnerability (CVE-2019-11510) in Pulse Secure Connect VPN.
• Both vendors issued patches for the flaws in their respective products a long time ago. Furthermore, security analysts have for some time been warning of threat actors showing high interest in these vulnerabilities.

A tab on recent VPN attacks

• FireEye’s Mandiant cyber forensic team recently discovered four new malware tools that weaponized Pulse Secure vulnerabilities.
• Tracked as Bloodmine, Bloodbank, Cleanpulse, and Rapidpulse, these tools were used by the UNC2630 and UNC2717 threat actor groups to establish persistence on devices connected to Pulse Secure VPNs.
• The attackers used these tools to launch attacks against defense, government, technology, transport, and financial entities in the U.S. and Europe.
• In a different incident, malicious attacks via a SonicWall VPN flaw were also reported in the first week of June.
• In this case, threat actors exploited an old vulnerability (CVE-2019-7481) in the VPN to compromise older SonicWall SRA 4600 VPN devices.

What do these incidents indicate?

• The key point is that if a VPN is vulnerable, threat actors will find ways to exploit and monetize it.
• The stealthiness shown in patching the vulnerabilities gives an ample opportunity for adversaries to launch attacks against vulnerable endpoints. Once they are in, they can exfiltrate information and deploy malware.

Fix it to prevent attacks