The Covid-19 pandemic forced many businesses to suddenly move to higher levels of remote working than before, with many organisations dealing with it for the first time.
While this was necessary to keep businesses operating, the sudden rise in remote working also provided benefits for cyber criminals, who looked to take advantage of it to carry out attacks against public-facing VPN and cloud services in order to breach networks.
Many organisations still aren’t taking the action required to fully protect their networks from these attacks, say researchers.
“Organisations aren’t prepared for these incidents,” Bart Vanautgaerden, senior incident response consultant at Mandiant, told ZDNet. “They’re familiar with compromises on Windows, but with a VPN compromise, they’re not trained or technically prepared to deal with an incident like that”.
In a presentation at Black Hat Europe, Vanautgaerden detailed how VPN vulnerabilities were being exploited by numerous cyber criminal groups.
These include at least eight Advanced Persistent Threat (APT) hacking operations aimed at cyber espionage, as well as various ransomware gangs targeting vulnerabilities in VPNs to launch ransomware attacks.
Cyber attackers can breach usernames and passwords to access VPN services – especially if multi-factor authentication isn’t used as an additional layer of protection – as well as exploit vulnerabilities in VPN appliances themselves.
For example, earlier this year, Mandiant disclosed vulnerabilities in Pulse Secure’s VPN. Pulse Secure later released security updates to protect against the vulnerabilities. Other providers, including Fortinet and Palo Alto Networks, have also had to release critical security updates to protect VPNs from attacks.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Many organisations may be unaware this is an issue they need to think about – meaning patches aren’t being applied, and VPN servers remain open to compromise. “For many organisations we’ve talked to, it’s the first time they’ve had such an incident, so they’re not on the lookout for it,” said Vanautgaerden.
To remain robust against cyber attacks, organisations should apply security patches as soon as possible. Not being able to use VPNs for a short time while the updates are applied isn’t ideal, but it’s better than having to uproot the entire network after a full-scale breach.
“Organisations should really focus on an aggressive patching strategy, not to lose any time as soon as there’s a vulnerability disclosed to implement the patch itself,” Vanautgaerden said.
“It may sound straightforward, but with so much reliance on VPN tunnels, organisations often don’t want to face the downtime that’s often required when patching these applications. It’s easier said than done, but organisations need to have systems in place to ensure they have a fast and aggressive policy.”
Businesses should also ensure they have a response plan at the ready to reset accounts and assess damage in the event that a cyber security breach does take place, said Vanautgaerden.
“[Organisations] need to be able to investigate and reset VPN appliances and also provide additional entry to the network so legitimate users can still access the network while they investigate.”
MORE ON CYBERSECURITY
No honor among thieves: One in five targets of FIN12 hacking group is in healthcareCritical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromisedBusinesses don’t talk about being victims of cyberattacks. That needs to changeHave we reached peak ransomware? How the internet’s biggest security problem has grown and what happens nextRansomware: Looking for weaknesses in your own network is key to stopping attacks