Legacy VPN technology puts business operations at risk
Listen in as we discuss this and many more topics on the podcast The CISO's Gambit.
Virtual Private Network (VPN) technology carries risk. By design, a VPN effectively extends your network to a remote endpoint, or in the case of a fully remote workforce, to thousands or tens of thousands of remote endpoints. But a worse risk—one that isn’t often talked about—is that the VPN service itself is exposed to the internet, inviting attack.
The VPN was designed more than 25 years ago. Despite the performance limitations VPNs impose and the enterprise-threat vulnerabilities they introduce, VPNs remain a commonly employed method for enabling remote access. They are easy to set up, often included with firewall subscriptions, and, once up and running, relatively straightforward to maintain. And though VPNs promise a secure connection from a remote endpoint to the destination gateway, the VPN itself is exposed, and vulnerable to direct internet-based attacks. Across all industries and verticals, VPN services pose a significant risk to organizations.
The risk is significant, and that’s an understatement. Let’s look at some recent examples of exploited VPN services.
The first is a newly-disclosed critical authentication bypass vulnerability in Pulse Connect Secure, a widely-used SSL remote-access solution. Threat intel reporting indicates this vulnerability is being actively exploited by threat actors, and could be leveraged to obtain access to internal networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-03, “Mitigate Pulse Connect Secure Product Vulnerabilities” requiring all Federal Agencies to identify and mitigate the vulnerability (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the most recently disclosed CVE-2021-22893) by April 23, 2021.
Second, FBI and CISA issued a joint cybersecurity advisory that nation-state threat actors have been observed exploiting vulnerabilities in Fortinet SSL VPN (CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591) to gain access to multiple government, commercial, and technology services networks. Once initial access to the network is obtained, additional attacks using traditional exploitation techniques are used to propagate and propagate access.
Right now, organizations around the world are in a frantic race to patch Pulse Secure vulnerabilities before threat actors can exploit them. Just a few weeks ago, organizations that used Fortinet VPN hardware were in the same situation. In the past two years, all of the leading VPN security appliance vendors—Netscaler, Palo Alto Networks, Cisco, Pulse Secure—have acknowledged critical and remotely exploitable vulnerabilities in their public-facing remote-access/VPN services. This is why it is critical for agencies and organizations to embrace security transformation and move away from legacy VPN-based architectures for remote access.
Whenever a new exploit is discovered, the race is on...for both good and bad actors. Exploit developers work to develop malware for proof-of-concept attacks, and/or to be integrated into their exploit toolkit. Meanwhile, customers scurry to implement patches, vendor fixes, hardware upgrades, or potentially risk-offsetting compensating controls to mitigate exposure.
These flaws aren’t that difficult to exploit. APT actors around the world can pump out exploit code very quickly, but even an unskilled attacker can use an automated exploit tool like Metasploit / Rapid7, or Core Impact if exploit code is publicly available to compromise and gain access to a targeted network.
To make matters worse, these vulnerabilities are just the ones we know about. I am more concerned about the ones that haven’t yet been disclosed. Just because a public disclosure isn’t out for a particular remote-access vendor’s solution doesn’t mean that hardware-based VPN solution is safe from attack. Offensive cyber teams around the world (and yes, in the United States too) work around the clock to discover the next remotely-exploitable zero-day vulnerability. With the COVID-imposed advent of fully-remote workforces, VPN targets are high-value, especially for those attackers that have full government backing and the resources to discover exploitable flaws.
Most vendors work diligently to keep up with the onslaught of attacks. But it’s not enough for enterprise VPN users. Once a critical vulnerability has been disclosed, you’re likely already behind the curve, and presumably already compromised. A moderately-skilled pen tester can easily exploit these security holes, use them to breach your network, and leverage them to move throughout your environment.
But it’s not just moderately skilled attackers that you have to worry about: MITRE currently tracks 110 groups that are linked to a cluster of adversary activity exploiting VPN services. Imagine the extent to which an advanced state-sponsored actor could leverage these remotely exploitable vulnerabilities.
According to the Zscaler 2021 VPN Risk Report:
VPNs are a significant risk to your business. At the end of the day, users need to access applications, not become an extension of the corporate network. There is a better way to secure work-from-anywhere connectivity that eliminates risk and enhances user experience. In a reverse proxy-based security architecture, your apps are never exposed to direct internet-based attacks, and you eliminate the risk that a sophisticated threat actor will exploit your legacy VPN remote access solution.