About Us | Contact Us
View Cart

Zeroing in on VPN Security

By Tanvee Dhir | Monday, November 1, 2021 - Leave a Comment

Has the security effectiveness of VPNs passed?


Another Technical Article by Tanvee Dhir!


Why under scrutiny?

VPNs (Virtual Private Networks) have been a cardinal piece for secure internet browsing for decades. They offer a secure and encrypted tunnel to transfer your data over the network whether in a home or an enterprise environment. Different vendors develop their services by implementing different VPN protocols and encryption algorithms to provide it as a service and with an increase in remote work, there has been a huge expansion in the VPN market giving clients thousands of options to choose from.

VPN technologies act as entry points into protected enterprise networks which have always made them a tempting target for attackers and with the worldwide surge in remote work the attack surface has dramatically increased.  When attackers are picking their targets for exploitation, they often like to go for products that are widely used within multiple enterprises and can give them the possibility of accessing multiple systems with minimum expense. More than 500 known VPN vulnerabilities are listed in the CVE database with new zero-days being updated regularly. Threat actors are persistently targeting VPNs which has made several government entities collaborate to release guidelines, cybersecurity researchers to share resources, and bring new perspectives into VPN security.

2021 Attack Timeline

2020 was a thriller of a year! Of course, for its obvious reasons, but the cybersecurity industry especially saw the highest rise in cybercrimes and industry attacks. It’s probably acceptable to say that the ransomware attacks spread at a rate no less than the coronavirus. Now, as we enter the fourth quarter of 2021, we realize that the attacks have only risen in intensity, complexity, and persistence.

Looking back at 2021 we have encountered many prominent cyber-attacks ranging from supply chain attacks, multiple ransomware campaigns, to the latest rapid attacks. A major chunk of these attacks involved threat actors weaponizing VPN vulnerabilities (new or unpatched) to gain access to protected networks. The timeline below highlights some of the major hacks throughout 2021 on widely used VPN vendors, along with the ransomware(s) exploiting that vulnerability.

Click to Enlarge Graphic

The first quarter saw SonicWall’s internal systems being compromised and its SSL-VPN SMA100 product being exploited using a zero-day flaw (CVE-2021-20016) to gain RCE. The second quarter of 2021 saw major cyberattacks exploiting previously existing and unpatched vulnerabilities. Fortinet Fortigate VPN’s unpatched vulnerabilities (CVE-2018-13379) were being targeted by the Cring Ransomware which made the NSA, CISA, and FBI release a joint advisory listing out highly targeted vulnerabilities by the nation-state APTs. A few weeks later, FireEye revealed a zero-day vulnerability (CVE-2021-22893) with the capabilities of deploying malware on Pulse Secure’s VPN devices to steal credentials and deploy backdoors in several government networks. Another blockbuster cyberattack that resulted in the shutdown of all operations of Colonial pipeline and shortages of fuel across the east coast of the US was led by Darkside Ransomware and involved the hackers gaining access to the network using an old VPN account password. By the end of the second quarter, SonicWall’s VPN appliances were being targeted using older vulnerabilities (CVE 2019 -7481) that forced the enterprise to release a security notice to their customers. In September Fortinet stepped into the limelight again when a threat actor leaked a list of 500,000 Fortinet VPN login accounts and passwords on a forum which was compiled by exploiting CVE-2018-13379 on multiple exploitable devices. As we enter the final quarter of 2021, one of the most widely used free VPN services, QuickFox, leaked Personally Identifiable Information (PII) of more than a million users due to misconfiguration in security settings of their Elasticsearch server. VPNs remain extremely tempting targets and will most definitely continue to be targeted by hackers for the remainder of 2021.

Attack Causes

While VPNs have always been seen as one the most accomplished means for data privacy, IT teams more than often mistake VPN as a service than an actual computer with capabilities. A VPN is attached to the internet, has privileges, and has stored credentials, but is very often misconfigured or not maintained which can lead to their compromise. With the abundance of stolen data and exploits available on the dark web at varying costs, attackers can gain access to a vulnerable system with minimum effort and little capital. While there are multiple ways an attacker can go about hacking a system, most of the attacks involving VPN services have been due to:

  • VPN clients not patching their externally faced products on time. (Example case: Industrial enterprises exploited over unpatched vulnerabilities in Fortinet devices)
  • Weak Authentication processes / Multifactor Authentication disabled (Example case: Colonial Pipeline hack)
  • Weak cryptographic algorithms on SSL VPNs
  • Old VPN credentials not decommissioned (Example case: Again, Colonial Pipeline hack)
  • Users given VPN access via their personal devices (BYOD) without proper security controls implemented
  • Principle of least privilege not implemented due to lack of access controls provided by the VPN service

This list is non-exhaustive, but highlights a few of the top causes.

VPNs, RDPs and Zero Trust

While we acknowledge the shortcomings of the technologies we have relied on for years, we also need to understand the workings of technologies that can replace them or be integrated for better security practices. In addition to VPN usage, the use of Remote Desktop Protocol (RDP) for remote work in organizations has largely increased, but as with any other technology, it needs to properly be configured to avoid the risk of compromise. The massive shift to remote work has increased the factor of human errors in VPN and RDP practices which is why there needs to be a zero-trust mindset, which is to assume and treat all users and assets as malicious. A zero-trust approach leans away from the original idea of a security model to ‘trust but verify’ to a newer idea of ‘never trust, always verify’. A zero-trust security model promotes creating zones and segmentation to control sensitive IT resources with least privilege access.

Threatpost, in their guide, defines five pillars when it comes to implementing a zero-trust security model:

  1. Device trust – Implementing a Unified Endpoint Management (UEM) solution to manage and control all the devices (desktops, mobiles, IoT, rogue) on the network from a single system which could further be integrated for Endpoint Detection Response (EDR).
  2. User Trust – As poor password-based user authentication practices become more of a risk for enterprises’ security, enforcing strong password-less conditional-access technologies (like biometrics, certificates, MFA etc.) can help enhance user trust.
  3. Transport/Session Trust – Building transport and session trust requires the implementation of controls that allows applications to access only the internal resources needed for their operations along with transport encryption and session protection.
  4. Application Trust – Newly developed applications with single sign-on (SSO) enabled can be a good key in strengthening application trust. However, traditional applications which are not designed for zero-trust can be isolated into virtual environments.
  5. Data Trust– Even though most of the data integrity and classification is handled by the application, implementing Data Loss Prevention (DLP) technologies enhances data trust.

Establishing trust across all pillars helps execute informed decisions within proper access. With comprehensive visibility and analytics into our digital environment, it is possible to build automation and orchestration. Security researchers believe that even though a zero-trust architecture is a tedious process for IT admins and users, companies should consider redesigning their infrastructure with proper processes and policies set in place to adapt to this new security paradigm.

Mitigation & Guidance

Throughout the year CISA, NSA and FBI have released guidance and advisories specifically focusing on remote work, VPNs, and cloud-based technologies. Recently, NSA and CISA collectively released a guidance on ‘Selecting and Hardening Remote Access VPN Solutions’ which details considerations to be taken while selecting a VPN and how to deploy it securely. They also highly recommend using validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant list. Another guidance by CISA lists out mitigations and recommendations small to mid-size businesses and MSPs can follow to harden their security.

Here are some general tips to follow in order to solidify your VPN security:

  • Periodically update and configure your VPN controls
  • Enable Multifactor Authentication (MFA)
  • Implement robust network and host-based monitoring solutions
  • Disable the features that are not required
  • Keep a check on your assets deployed on the network perimeter and make sure they disclose as little information as possible related to your network.
  • Stress-test the network by performing routine security assessments to expose weak-links
  • Filtering traffic to limit the ports, protocols, and IP addresses of a network to VPN devices.
  • Remove all access for the credentials that are decommissioned.
  • Employ appropriate network segmentation and restrictions to limit access to only services that need to be accessed by VPN

Deploying a VPN solution with properly enabled configurations and hardened operational controls can help the organization be better equipped when they are being targeted by attackers looking for entryways into its network. There is no scenario that offers 100% security, but staying a few steps ahead of an APT’s mind will always work in favor of better security.


 

Original article by Tanvee Dhir, CEH. Data Security Analyst, infotex

 


same_strip_012513


 

Latest News
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]
    Top Seven Risks . . . that small bank Information Security Officers face in 2022! Once again, we compile this list in preparation for updating our normal board of directors awareness training presentation and movies and such.  This list is meant for community-based banks but could apply to small businesses.  How this works can be illustrated […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]