In light of the ongoing conversation around the Colonial Pipeline hack and the latest findings showing that hackers used a VPN account to breach the network using just a compromised username and password, security experts provide detail insight below on the security threats of VPN and what organisations can do to manage the risk of ransomware.
<p>VPN appliances have always been a security concern. Allowing remote access to someone located outside the company is inherently risky, but in the past year, these concerns have escalated. The COVID-19 pandemic dramatically increased VPN usage, with more employees having access to it and more systems exposed to remote access. Attackers are aware of that, and we have observed an increase in attacks on VPNs. </p> <p> </p> <p>These attacks can be grouped into three scenarios, requiring different security measures: First, a VPN appliance exposed to the internet contains a vulnerability, allowing an attacker to gain access to the network by running an exploit. Second, an employee\’s credentials may be compromised (for instance, in a social media leak in which the employee uses the same password for the company VPN), so an attacker can impersonate the user to execute commands in the allowed systems. And third, an employee\’s machine might be infected (for instance, through a spam e-mail) and the attack is carried out once the VPN is connected.</p> <p> </p> <p>For the first scenario, most significantly, we observed the exploitation of CVE-2021-20016 (affecting SonicWall SSLVPN) by the cyber-crime group DarkSide, and also CVE-2021-22893 (affecting Pulse Secure VPN) exploited by more than 12 different malware strains. To be protected in this scenario, it\’s important to keep all third-party software up to date, limiting the usage of known vulnerabilities.</p> <p> </p> <p>For the second scenario, it\’s essential to implement multi-factor authentication mechanisms to ensure that the actual user is trying to authenticate and it’s not an attacker impersonating them through leaked credentials. Strong password policies and periodically expiring passwords are very important as they make it harder for an attacker to guess credentials. However, these policies do not fully solve the problem, as a skilled attacker can retrieve recent leaked credentials or even guess current used passwords based on old samples.</p> <p> </p> <p>The third scenario is a bit more complex to handle. First, train your employees against social-engineering attacks so they can avoid being infected through phishing and spam-messages. On the infrastructure side, use multi-factor authentication to validate access to systems. For example, require the 2FA token when the employee tries to connect to a new system to ensure that a malware is not using the same connection to target or scan other systems. Finally, limit user access to what a person needs to do their job, or ‘least-privileged access’, avoiding sensitive systems that the user doesn\’t even need to access.</p> <p> </p> <p>These recommendations are part of a Zero-Trust approach. By assuming that all access can be compromised, you will adopt additional security measures, like multi-factor authentication, to ensure the access is an actual employee. Segment the network so the damage is contained in case a system is compromised so the attacker can’t move laterally. Additionally, we recommend switching legacy VPN appliances for a Software-Defined Perimeter. This allows you to implement strong security policies for each system the employee tries to access, have different requirements depending on the employee\’s role, the device used, and the system you want to access, and limits access to only what is needed to perform a job function.</p>