This year has seen no shortage of successful hacks, SolarWinds supply chain collapse at China’s blitz against Microsoft Exchange servers. It’s a lot. But the disproportionate attention to these hacking mobs obscures another threat that has steadily built itself in the background for years with no resolution of its own in sight: the sustained assault on VPNs.
The latest example of VPN collapse: we’re talking about corporate connections, not your personal configuration– is among the most dramatic. Security firm FireEye revealed this week that it has found a dozen malware families, spread across multiple hacking groups, feasting on vulnerabilities in Pulse Secure VPN. Victims have traveled the world and hit the usual high-value targets: defense contractors, financial institutions and governments. Attackers used their perch to steal legitimate credentials, improving their chances of gaining both deep and lasting access.
What’s the deal with VPN hacks. Since the whole point of a VPN is to create a secure connection to a network, deworming in one can save hackers a lot of hassle. “Once hackers have these credentials, they don’t need to use spearphishing emails, they don’t need to bring in custom malware,” says Sarah Jones, Senior Analyst senior at FireEye. “It’s sort of a perfect situation.”
The campaign discovered by FireEye is particularly ambitious and potentially disturbing. It’s too early for a firm’s attribution, but the groups behind it appear to be linked to China, and their targets seem filled with the kind of sensitive information spy groups thrive on. One of the malware families, called Slowpulse, could bypass two-factor authentication protections, bypassing key protection against credential collection.
“The new problem, discovered this month, has affected a very limited number of customers,” Pulse Secure parent company Ivanti said in a statement. “The team worked quickly to provide mitigation measures directly to the limited number of affected customers, which corrects the risk to their system.
A patch to address the vulnerability at the heart of the attacks, however, will not be available until next month. And even then, it may not deliver much ointment. Businesses often take a long time to update their VPNs, in part because downtime prevents employees from doing their jobs. Some of the intrusions that FireEye detected actually appear to be related to vulnerabilities that had been reported as early as 2019. That same year, a VPN Pulse Secure flaw allowed a ransomware group to block Travelex, a travel insurance company, for millions of dollars. A year later, despite warnings from researchers, national cybersecurity organizations and law enforcement, thousands of organizations remained vulnerable, says Troy Mursch, director of research at cyber threat intelligence firm Bad Packets.
It wasn’t always like that. VPNs typically relied on a set of protocols known as Internet Protocol Security or IPsec. Although IPsec-based VPNs are considered secure and reliable, they can also be complicated and awkward for users. In recent years, as remote working grew and then exploded, more and more VPNs have been built instead on ubiquitous encryption technologies known as Single Socket Layer and Socket Layer security. transport. The accolades quickly descend into the weeds, but essentially SSL / TLS VPNs have made connecting to your company’s network much more seamless – the difference between merging on the highway in a minivan and a Miata.
“It was a big step forward for convenience,” says Vijay Sarvepalli, senior security solutions architect at the CERT Coordination Center at Carnegie Mellon University. CERT helps catalog vulnerabilities and coordinate their public disclosure. “When they designed these things, the risks weren’t considered yet. It is not impossible to protect them, but people are not ready to watch them and react quickly to attacks against them. “
Software of all kinds has vulnerabilities, but since VPNs by definition act as a channel for information intended to be private, their bugs have serious implications. The pandemic’s shift to remote working has put the underlying issues in the spotlight. “Many SSL VPN providers started out with serious flaws in their products,” says Mursch. “The increased use of SSL VPNs over the past year has led to more scrutiny from security researchers and threat actors interested in exploiting them.”