Today SOCRadar Labs is launching a new free instant testing service called VPN Radar. Check it out after reading this blog post. We value your feedback, let us know what you think.
Invented 20+ years ago, VPN technology is an essential component of today’s enterprise’s evolving attack surface providing a mobilized, decentralized workforce secure access to sensitive corporate resources. There are some compelling alternatives with innovative approaches like SDP (software-defined perimeter) while there is a less proven success to replace VPN.
Especially after the global COVID-19 pandemic, VPNs have been doing a great job by creating an encrypted tunnel in the unsecured public networks however it’s not a bulletproof solution. According to Shodan, the number of servers running VPN protocols (IKE, PPTP, etc.) on different ports has jumped from nearly 7.5 million to nearly 10 million (by a third) in March 2020. Some significant risks are not readily visible to the security teams, although they can be discovered by threat actors to take advantage of.
In these rapidly changing times, the purpose of this blog post is to highlight some of the overlooked risks of VPN servers and provide recommendations on how these risks can be detected before your adversaries.
Known vulnerabilities: Elephant in the room
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released information on September 24th, 2020 as a response to a recent threat actor’s cyberattack on a federal agency network. By exploiting a known vulnerability tracked as CVE-2019-11510 in an unpatched Pulse Secure VPN server, threat actors could have accessed the Active Directory and Office365 credentials initially. This incident happened following the advisories from CISA 10 days ago, warning of a wave of attacks carried out by APT groups affiliated with Iran and China’s Ministry of State Security. Potential targets listed by CISA included Citrix and Pulse Secure VPN appliances of which major vulnerabilities have been disclosed in the last 15 months. It’s not surprising that APT groups are frequently scanning corporate and government networks for finding exposed vulnerabilities of widely-popular VPN appliances to gain unauthorized access.
Have a look at the significant vulnerabilities heavily targeted by threat actors in the last 15 months:
- CVE-2019-19781: Citrix VPN Appliances | Dec 17, 2019 This vulnerability enabled the actors to execute directory traversal attacks.
- CVE-2019-11510: Pulse Secure VPN Servers | Aug 5, 2019 This is an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances to gain access to victim networks.
There might be several reasons for failing to patch these critical vulnerabilities after the vendor-provided patch was released. One reason could be the lack of attack surface visibility and up-to-date asset management. So, the organization may not be keeping the complete inventory of public-facing digital assets with a full lifecycle. For example, if the organization has just a few remote salespeople connecting to a VPN server, this perimeter device may become a forgotten asset after some time. In short, you can only secure what you know you have.
The other reason could be the lack of a risk-based approach to patch prioritization that may cause delays. Since VPN appliances are expected to be up and running at all times, vulnerability teams are struggling to find the right time for patching. Remote users may demand continued connectivity however it’s crucial for SOC teams to consider several factors like possible impact and threat criticality level before taking decisions. It’d also be a good habit to put more effort into dealing with perimeter-VPN vulnerabilities for the greater benefit of your organization’s security posture.
SSL VPN Security: Pandemic-driven implementations in rush leading to high risk
By providing productivity and availability enhancements, SSL VPNs — known as Clientless or Web VPNs — are highly preferred by remote users over traditional IPSec VPNs. The IT cost reduction and easier scalability have been other key factors for faster adoption during the global pandemic. Although there are obvious advantages from the operational perspective, incorrect implementations of SSL VPNs pose network security risks that can lead to data breaches.
Concerns about man-in-the-middle vulnerabilities
Since SSL VPN solutions rely on SSL protocol and its successor, Transport Layer Security (TLS), the flaws in SSL infrastructure have a direct impact on the overall security of remote connectivity. Many attack vectors used against SSL are taking advantage of untrusted certificates and common SSL/TLS vulnerabilities like POODLE, BEAST, HEARTBLEED, and ROBOT.
Usage of a pre-installed vendor certificate can make it easier to understand what an untrusted certificate risk is. For a seamless deployment experience, security vendors have been developing appliances that are designed to work out-of-the-box with default configurations of self-signed SSL certificates. The problem is that these default configurations may create troubles if the organizations are not able to allocate enough time for some reason -e.g., in case of a global pandemic- to read the documentation. That was the issue with FortiGate VPN appliances where the default SSL VPN configuration can allow an attacker to perform a MITM (Man-in-the-middle) attack to intercept sensitive data. In a matter of minutes, a Shodan search done by the researchers turned up more than 200,000 vulnerable FortiGate appliances using the default configuration.
Threat actors are well aware of the rapid digital transformation process the organizations are passing through and searching for blind and forgotten spots that they can easily exploit. During the reconnaissance stage, they often scan and collect information about the SSL/TLS certificates in use, such as supported SSL protocol version, preferred cipher suites, and certificate chain.
Have a look at some of the common authentication and configuration risks you may be exposed to your adversaries:
Insecure SSL/TLS protocol versions
- SSLv3 support: Affected by POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability.
- SSLv2 support: An attacker may retrieve plain text content of secure connections.
- TLS 1.0 and TLS 1.1 support: Affected by FREAK, POODLE, BEAST, and CRIME vulnerabilities.
No-longer-recommended cipher suites
- 3DES (Data Encryption Standard)
- IDEA (International Data Encryption Algorithm)
Missing recommended configurations
- OCSP Stapling: For certificate revocation checking and mitigating the risk of private key compromise.
- TLS Fallback SCSV: For preventing protocol downgrade attacks.
Missing HTTP security headers
- Enable suitable headers (X-XSS-Protection, HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type Options, Content Security Policy, Referrer-Policy, Feature Policy) to improve the resilience of your server against common web application attacks such as cross-site scripting and clickjacking.
Endpoint-related authentication risks
Passwords are the first security mechanism that organizations’ security teams adopt to protect them from attackers; however, every day thousands of compromised credentials and stolen fingerprints are being traded on the dark web black markets. Unfortunately, bad password practices (e.g., password reuse and easy-to-guess passwords.) and poor cyber hygiene of the remote users including VIP/C-level executives do not seem to end anytime soon. To prevent threat actors from accessing the internal resources through VPN, in addition to solid endpoint protection mechanisms, companies should also proactively monitor the surface, deep and dark web for detecting the stolen corporate credentials. Once threat actors get their hands on sensitive data by performing successful malware (keylogger, stealers), phishing, or social engineering attacks, they try to rapidly monetize and sell on the criminal black markets to the highest bidder.
Let’s take a look at the common weaknesses targeted by threat actors to steal employee credentials:
- Infection with bot-malware: Certain types such as stealers, keyloggers, banking malware, etc. pose a higher risk since the leaked data may contain a broad variety of sensitive data (PII, credit card, cookies, files, etc.).
- Unsecured public Wi-Fi risks: A legitimate-looking but rogue hotspot may direct your employee to a legitimate-looking web VPN portal then steal credentials or intercept network traffic data.
- Poor password habits: Employees who are using their corporate email address or password for signing up personal-use applications are at high risk due to the increasing number of credential stuffing attacks.
- Visit SOCRadar Labs for an instant test on your VPN security and get an auto-generated PDF report covering the listed risks above.
- Harden your remote access strategy with an attack surface-centric, targeted Threat Intelligence solution that will also provide you strategic intelligence on APT actors.
- It’s critically important to remember that unless you take strong steps to protect your VPN infrastructure, opportunistic threat actors will find a way in.
- Configure the VPN by considering the users’ roles in the company and specific resources they need; adopt a zero-trust strategy.
- Continuously monitor and try to reduce your external-facing attack surface by keeping an updated inventory of digital assets (e.g., SSL/TLS certificates, perimeter appliances, etc.).
- Make sure strict password/multi-factor authentication(MFA) policies are in place as support to solid endpoint protection mechanisms.
- To improve your cyber resilience, monitor for external threats on Dark Web such as compromised employee credentials or leaked sensitive data.
VPN security is crucial for all organizations. When the COVID-19 pandemic hit, it helped our businesses stay alive and keep the lights on. To effectively secure the perimeter, VPNs need to be monitored for exposed vulnerability and endpoint-related risks in a continuous manner.
CISA Guidance and Resources for VPN