Threat actors are spoilt for choice as the use of VPN services surges in the pandemic. With many employees still working from home, the use of VPNs has opened a pool of attacks against their users.
According to statistics, ZDNet concluded that VPN appliances with multiple vulnerabilities were among the top three popular intrusion vectors used in the first half of 2020. In the latter half, the intensity of such attacks is believed to have increased as threat actors have channelized their attacks through exploits for VPN products.
What’s the latest update?
- Earlier this month, a hacker posted a list of IP addresses from almost 50,000 Fortinet VPN devices that are vulnerable to a path traversal vulnerability (CVE-2018-13379).
- During the investigation, it was found that the targeted domains belonged to high street banks and government organizations from around the world.
- The exploit posted by the hacker could let attackers access the sslvpn_websession files from Fortinet VPNs to steal login credentials. Those stolen credentials could then be used to compromise a network and deploy ransomware.
What does this indicate?
- Malicious actors can exploit the vulnerability and cause serious downtime resulting in significant financial loss.
- Since VPN endpoints play a crucial role in business infrastructure, compromise of even a single endpoint may lead to taking over the entire domain or network.
A new twist in the tale
- In mid-October, the U.S. government warned of new APT attacks that combined exploits for VPN products with the recently discovered Zerologon bug.
- The advisory noted that after gaining initial access through the Zerologon flaw, actors leveraged vulnerabilities in VPNs to access the environment with the compromised credentials.
- Furthermore, CISA revealed that VPN products from Juniper, Pulse Secure, Citrix NetScaler, and Palo Alto Networks could be chained with Zerologon to achieve the same result.
Unpatched Zero-day flaw adds more concern
- Zero-day vulnerabilities present serious risks and this issue becomes more serious when security patches are not released on time.
- For instance, Cisco reported a zero-day vulnerability in its AnyConnect Secure Mobility Client VPN product without releasing a fix.
- Though the security flaw has not been exploited yet, the proof-of-concept is publicly available, which opens up risks of cybercriminals potentially leveraging the flaw.
The bottom line
VPN is not a forgotten target for adversaries. The exploitation of vulnerable VPNs can enable attackers to access the internal networks of a large corporation and help in their attempt to gain persistent access to sensitive resources. Therefore, the security of VPNs is crucial for organizations, enabling a secure yet cost-effective way to use the internet for many essential business needs.