Gone are the days when attacks were orchestrated to earn credibility within the hacker community, according to the 2020 Verizon Data Breach Report over 80% of breaches are financially motivated. Cybercriminals use attacks that will have the most impact, seeking the easiest way to get the most reward. VPN services are both easy to exploit and the attacks can have large returns.

The exploitation of VPN should not come as a surprise, as the world shifted to remote ways of working, many businesses flocked to VPN to enable their workers. Along with their ubiquity, VPN services are the ideal target for criminals: by their very nature they provide an ingress point into the business and they provide network-level access allowing an attacker to roam where they please.

There have been a number of recent high-profile Common Vulnerabilities and Exposures (CVE) for the legacy remote access technology: 

  • CVE-2019-11510 – Pulse Secure VPNs
  • CVE-2018-13379 – Fortinet VPN servers
  • CVE-2019-1579 – Palo Alto Networks Global Protect VPNs
  • CVE-2019-19781 – Citrix ADC servers

Unlike these CVEs, the recent wave of attacks have used social engineering tactics to circumvent the identity authentication measures built into VPN.

Savvy IT professionals may have deployed advanced user authentication tools, such as two-factor authentication (2FA), to verify the identity of users, but these are not infallible. There have been multiple news stories detailing how cybercriminals are targeting identity authentication for VPN services, even prompting the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) to issue a joint advisory on the topic. 

Even tech companies fall prey to authentication circumvention techniques, as demonstrated by last month’s Twitter breach. As described, it is common for businesses to use 2FA with a one-time PIN (OTP) to strengthen identity authentication.

OTP are issued to users after they have entered their credentials into a VPN page to gain access, via a text or app for example. However, if the user has accidentally entered their details into a phishing page instead of receiving the one-time PIN they are being contacted by criminals. The criminals use social engineering to obtain the PIN from the worker, which they can then use to gain access.

“In some cases, unsuspecting employees approved 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to [a] help desk impersonator,” – FBI and CISA

There are a number of steps that enterprises can take today to mitigate or entirely eliminate this kind of threat:

  1. Allow the VPN to only provide role-based and app-level access, to prevent access to the entire corporate network.
  2. Limit remote access to trusted devices, for all or critical applications. This means that even if an attacker steals the user’s credentials if the device isn’t managed by the business, the authentication request is denied.
  3. Leverage modern authentication, for onboarding applications, with built-in identity protection features that prevent “impossible logins” (e.g. you can’t be in both the US and Russia within 10 minutes between logins).  
  4. Implement an integrated and first-party zero-day phishing/vishing protection at the network layer will help to prevent these attacks from being successfully executed in the first place.

To learn more about next-generation remote access and how your organization can stay connected and ahead of cybercriminals please get in touch with one of our experts.