February 28, 2020//Tony HowlettLast Updated: February 12, 2021
According to a recent study by ClearSky, more nation-state actors such as Iran’s “Fox Kitten” hacking group and other Advanced Persistent Threats (APTs), are focusing on VPNs as a way to establish a foothold in a network in the first stage of their attacks. APT is the name for groups with significant resources and sophisticated enough to launch concerted, multistage, targeted attacks. These are typically nation-state hacking groups, who are either directly working for a government or loosely affiliated with a government and trying to achieve some large political or national goal rather than just pure monetary gain.
This could be cyber espionage or future acts of cyberwar or cyberterrorism. Their focus is usually on critical infrastructure or other strategic assets like military contractors and technology intellectual property. Last year’s announced massive vulnerability in multiple VPN vendors platforms was a watershed for these group’s activity in this area. Although even before this perfect storm VPN super-vuln, there were other exploits in most VPN vendor’s products and other techniques like credential stuffing and social engineering that could be used to grab a VPN credential. The fact is that VPNs have been a popular entry point to networks for hackers of all types for quite some time.
If an attacker can get onto a network via a VPN connection, they have a lot of options for further exploitation. Many VPNs offer what I call “broad spectrum” network access; that is one without much segmentation or limits since typically VPNs are configured for internal employee use, even when employed for third-party users, such as vendors and contractors. Once on the network remotely with this kind of access, a hacker can scan for other vulnerable machines in their visible network neighborhood which is typically overly broad for their needs. There are often plenty of vulnerable targets to find inside a corporate perimeter.
Anyone who has done an internal vulnerability scan knows how hard it is to get rid of all of your internal vulnerabilities. The focus is usually on the outside, internet-facing IPs. Like an M&M, networks are hard and crunchy out the outside with lots of defenses, and sweet and gooey in the inside with lots of yummy vulnerabilities to exploit. Once they find that host or set of hosts with holes, they exploit them and install malware that phones home so they have a backdoor once the vulnerability is patched. They will also set up their beachhead machine to sniff for credentials and other useful data that might be sent in the clear, especially privileged passwords to use to further establish their foothold and do more dirty work. The point here is that once they are in, all the VPN and firewall patching in the world isn’t going to help you, though certainly still do it to keep out new intruders.
And the sad fact is, there are actually still unpatched VPN servers out there even almost a year after the vulnerability discovery. VPN servers, along with firewalls and routers, are often slower to get patched than application servers and desktops. But, even if you are on top of it and you were able to patch quickly, these largest hacking groups are now fast enough to take advantage of even short vulnerability windows to get in and get their back doors set up, especially at high-value targets.
What to do? I highly recommend that any enterprise who was vulnerable to one of these VPN exploits, even for a short time, do some threat hunting within your network. Threat hunting is the act of exploring your networks and systems to see if you might have signs or remnants of hacker activity. Sometimes it’s obvious, such as an outgoing ping signal coming from a host on your network; sometimes it’s subtle like an abnormal activity showing up in your logs. You can narrow your searches from the date of the vulnerability announcement (or perhaps a few weeks or months before since zero-day exploits can be used before they are discovered); you can also narrow it to specific hosts accessible from those access points, or specific country IP blocks. Hopefully you will find nothing, but you might find the trails of some rats who made it into through the rat hole before it was closed. If you don’t have the sophistication or resources to do this internally, there are third parties who are very good at it. They are expensive but if you can afford it, I would employ them, as you will get experts at finding these trails and crumbs left behind by hackers and also they are independent of internal staff who might be too close to it to see the clues.
Also, if you are still using VPNs for all your remote access needs, you should reconsider. Third-party risk is at an all-time high and all outsiders, even trusted vendors and partners, should not be treated the same as employees. Good network design with segmenting and VLANs along with robust internal vulnerability management can help you harden the interior of your network. And cutting edge technologies such as Privileged Access Management (PAM) and Vendor Privileged Access Management (VPAM) can help you lock down your remote access methods both for insiders and third parties. Doing these things should keep the worst of the VPN vulnerability exploiters out of your network and off your servers. Download our brochure that highlights the risks that VPNs and vendor-supplied tools have on your systems, networks, and applications.