VPN Hacks are a Slow-Motion Disaster

If this year no hacking of blockbusters has been seen Dissolution of the SolarWinds supply chain ra China has turned against Microsoft Exchange servers. It’s a lot. But the massive focus on hacking hides another threat that has been constantly built up in the background over the years, with no clear resolution: a persistent attack on virtual private networks.

A recent example of VPN disruption: We’re talking about corporate connections, no your personal configuration“It’s one of the most dramatic.” Security firm FireEye revealed this week that it has found a dozen malware families, spread across multiple hacking groups, celebrating with vulnerabilities in the Pulse Secure VPN. Victims spread around the world and were among the usual targets of high value: defense contractors, financial institutions and government. The attackers used their perches to steal legitimate credentials, improving their chances of gaining deep and lasting access.

What a thing about VPN hacks. Since the whole purpose of a VPN is to create a secure connection to a network, turning it into a hacker can save you a lot of trouble. “Once hackers have these credentials, they don’t have to use ordinary email, they don’t have to bring in custom malware,” says Sarah Jones, chief analyst at FireEye. “The situation is perfect.”

The campaign found by FireEye is particularly ambitious and can be disturbing. It’s too early to get a firm impeachment, but the groups behind it seem to be linked to China, and their targets seem to be full of sensitive information as espionage groups move forward. One of the malware families, called Slowpulse, can get two-factor authentication protections, bypassing key protection against leaving credentials.

“The new issue found this month has affected a limited number of customers,” Ivanti Pulse Secure, a leading company, said in a statement. “The team worked quickly to directly alleviate the limited number of affected customers who solve the risk to their system.”

A patch to fix the vulnerability at the core of the attacks, however, will not be available until next month. And even then, it may not provide much salvation. Companies often update their VPNs to the extent that stoppages make it impossible for employees to perform their work effectively. Some of the intrusions detected by FireEye appear to be related to vulnerabilities that have been reported since 2019. In the same year, a Pulse Secure VPN bug offered a ransomware intrusion to Travelex, a travel insurance company. in the millions of dollars. A year later – despite warnings from researchers, national cybersecurity organizations and law enforcement – thousands of organizations remain weak, said Troy Mursch, head of cyber threat intelligence at Bad Packets.

It wasn’t always like that. VPNs are usually based on a set of protocols known as Internet Security or IPsec. While IPsec-based VPNs are considered secure and reliable, they can also be complicated and cumbersome for users. In recent years, as remote work has expanded and exploded, more and more VPNs have been built into the ubiquitous encryption technologies known as single-socket layer and transport layer security. The distinctions come down quickly, but basically SSL / TLS VPNs made it much better to sign in to your company’s network: the difference between merging into a minibus and a state between Miata.

“That was a big step towards convenience,” says Vijay Sarvepalli, chief architect of security solutions at the CERT Coordination Center at Carnegie Mellon University. CERT helps catalog vulnerabilities and coordinate their public information. “When they designed these things, they still didn’t consider the risks. It’s not impossible to protect them, but people are not ready to control and respond quickly to attacks. “

Software at all levels has weaknesses, but because VPNs act as a means of information that seeks to be a private definition, their flaws have serious consequences. The pandemic’s shift to remote work has put the underlying issues in focus. “Many early SSL VPN vendors had serious flaws in getting their products started,” says Mursch. “The increase in the use of SSL VPNs over the past year has led to more analysis by security researchers and the drivers of threats interested in exploiting them.”