Has the security effectiveness of VPNs passed?

Another Technical Article by Tanvee Dhir!

Why under scrutiny?

VPNs (Virtual Private Networks) have been a cardinal piece for secure internet browsing for decades. They offer a secure and encrypted tunnel to transfer your data over the network whether in a home or an enterprise environment. Different vendors develop their services by implementing different VPN protocols and encryption algorithms to provide it as a service and with an increase in remote work, there has been a huge expansion in the VPN market giving clients thousands of options to choose from.

VPN technologies act as entry points into protected enterprise networks which have always made them a tempting target for attackers and with the worldwide surge in remote work the attack surface has dramatically increased.  When attackers are picking their targets for exploitation, they often like to go for products that are widely used within multiple enterprises and can give them the possibility of accessing multiple systems with minimum expense. More than 500 known VPN vulnerabilities are listed in the CVE database with new zero-days being updated regularly. Threat actors are persistently targeting VPNs which has made several government entities collaborate to release guidelines, cybersecurity researchers to share resources, and bring new perspectives into VPN security.

2021 Attack Timeline

2020 was a thriller of a year! Of course, for its obvious reasons, but the cybersecurity industry especially saw the highest rise in cybercrimes and industry attacks. It’s probably acceptable to say that the ransomware attacks spread at a rate no less than the coronavirus. Now, as we enter the fourth quarter of 2021, we realize that the attacks have only risen in intensity, complexity, and persistence.

Looking back at 2021 we have encountered many prominent cyber-attacks ranging from supply chain attacks, multiple ransomware campaigns, to the latest rapid attacks. A major chunk of these attacks involved threat actors weaponizing VPN vulnerabilities (new or unpatched) to gain access to protected networks. The timeline below highlights some of the major hacks throughout 2021 on widely used VPN vendors, along with the ransomware(s) exploiting that vulnerability.

The first quarter saw SonicWall’s internal systems being compromised and its SSL-VPN SMA100 product being exploited using a zero-day flaw (CVE-2021-20016) to gain RCE. The second quarter of 2021 saw major cyberattacks exploiting previously existing and unpatched vulnerabilities. Fortinet Fortigate VPN’s unpatched vulnerabilities (CVE-2018-13379) were being targeted by the Cring Ransomware which made the NSA, CISA, and FBI release a joint advisory listing out highly targeted vulnerabilities by the nation-state APTs. A few weeks later, FireEye revealed a zero-day vulnerability (CVE-2021-22893) with the capabilities of deploying malware on Pulse Secure’s VPN devices to steal credentials and deploy backdoors in several government networks. Another blockbuster cyberattack that resulted in the shutdown of all operations of Colonial pipeline and shortages of fuel across the east coast of the US was led by Darkside Ransomware and involved the hackers gaining access to the network using an old VPN account password. By the end of the second quarter, SonicWall’s VPN appliances were being targeted using older vulnerabilities (CVE 2019 -7481) that forced the enterprise to release a security notice to their customers. In September Fortinet stepped into the limelight again when a threat actor leaked a list of 500,000 Fortinet VPN login accounts and passwords on a forum which was compiled by exploiting CVE-2018-13379 on multiple exploitable devices. As we enter the final quarter of 2021, one of the most widely used free VPN services, QuickFox, leaked Personally Identifiable Information (PII) of more than a million users due to misconfiguration in security settings of their Elasticsearch server. VPNs remain extremely tempting targets and will most definitely continue to be targeted by hackers for the remainder of 2021.

Attack Causes

While VPNs have always been seen as one the most accomplished means for data privacy, IT teams more than often mistake VPN as a service than an actual computer with capabilities. A VPN is attached to the internet, has privileges, and has stored credentials, but is very often misconfigured or not maintained which can lead to their compromise. With the abundance of stolen data and exploits available on the dark web at varying costs, attackers can gain access to a vulnerable system with minimum effort and little capital. While there are multiple ways an attacker can go about hacking a system, most of the attacks involving VPN services have been due to:

• VPN clients not patching their externally faced products on time. (Example case: Industrial enterprises exploited over unpatched vulnerabilities in Fortinet devices)
• Weak Authentication processes / Multifactor Authentication disabled (Example case: Colonial Pipeline hack)
• Weak cryptographic algorithms on SSL VPNs
• Old VPN credentials not decommissioned (Example case: Again, Colonial Pipeline hack)
• Users given VPN access via their personal devices (BYOD) without proper security controls implemented
• Principle of least privilege not implemented due to lack of access controls provided by the VPN service

This list is non-exhaustive, but highlights a few of the top causes.

VPNs, RDPs and Zero Trust

While we acknowledge the shortcomings of the technologies we have relied on for years, we also need to understand the workings of technologies that can replace them or be integrated for better security practices. In addition to VPN usage, the use of Remote Desktop Protocol (RDP) for remote work in organizations has largely increased, but as with any other technology, it needs to properly be configured to avoid the risk of compromise. The massive shift to remote work has increased the factor of human errors in VPN and RDP practices which is why there needs to be a zero-trust mindset, which is to assume and treat all users and assets as malicious. A zero-trust approach leans away from the original idea of a security model to ‘trust but verify’ to a newer idea of ‘never trust, always verify’. A zero-trust security model promotes creating zones and segmentation to control sensitive IT resources with least privilege access.

Threatpost, in their guide, defines five pillars when it comes to implementing a zero-trust security model:

1. Device trust – Implementing a Unified Endpoint Management (UEM) solution to manage and control all the devices (desktops, mobiles, IoT, rogue) on the network from a single system which could further be integrated for Endpoint Detection Response (EDR).
2. User Trust – As poor password-based user authentication practices become more of a risk for enterprises’ security, enforcing strong password-less conditional-access technologies (like biometrics, certificates, MFA etc.) can help enhance user trust.
3. Transport/Session Trust – Building transport and session trust requires the implementation of controls that allows applications to access only the internal resources needed for their operations along with transport encryption and session protection.
4. Application Trust – Newly developed applications with single sign-on (SSO) enabled can be a good key in strengthening application trust. However, traditional applications which are not designed for zero-trust can be isolated into virtual environments.
5. Data Trust– Even though most of the data integrity and classification is handled by the application, implementing Data Loss Prevention (DLP) technologies enhances data trust.

Establishing trust across all pillars helps execute informed decisions within proper access. With comprehensive visibility and analytics into our digital environment, it is possible to build automation and orchestration. Security researchers believe that even though a zero-trust architecture is a tedious process for IT admins and users, companies should consider redesigning their infrastructure with proper processes and policies set in place to adapt to this new security paradigm.

Mitigation & Guidance

Throughout the year CISA, NSA and FBI have released guidance and advisories specifically focusing on remote work, VPNs, and cloud-based technologies. Recently, NSA and CISA collectively released a guidance on ‘Selecting and Hardening Remote Access VPN Solutions’ which details considerations to be taken while selecting a VPN and how to deploy it securely. They also highly recommend using validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant list. Another guidance by CISA lists out mitigations and recommendations small to mid-size businesses and MSPs can follow to harden their security.

Here are some general tips to follow in order to solidify your VPN security:

• Periodically update and configure your VPN controls
• Enable Multifactor Authentication (MFA)
• Implement robust network and host-based monitoring solutions
• Disable the features that are not required
• Keep a check on your assets deployed on the network perimeter and make sure they disclose as little information as possible related to your network.
• Stress-test the network by performing routine security assessments to expose weak-links
• Filtering traffic to limit the ports, protocols, and IP addresses of a network to VPN devices.
• Remove all access for the credentials that are decommissioned.
• Employ appropriate network segmentation and restrictions to limit access to only services that need to be accessed by VPN

Deploying a VPN solution with properly enabled configurations and hardened operational controls can help the organization be better equipped when they are being targeted by attackers looking for entryways into its network. There is no scenario that offers 100% security, but staying a few steps ahead of an APT’s mind will always work in favor of better security.

Original article by Tanvee Dhir, CEH. Data Security Analyst, infotex