The downside of VPNs
Due to COVID-19 and the resultant work from home (WFH) model, global enterprises have become far more dependent on virtual private networks (VPNs). Being a sort of tunnel connecting system, VPN use permits employees and contractors to remotely connect to the corporate infrastructure as a client and access internal network services.
Imagine a large company with proprietary sales data stored on its servers. It doesn’t want its data to be available to all comers via the internet, yet widely dispersed salespeople need access. They can use the company’s VPN to privately connect from anywhere.
As one security measure, the VPN changes the salespeople’s actual IP addresses; miscreants are kept guessing about actual addresses in use. And provided the VPN is configured correctly, its network traffic is generally encrypted—the company data remains safe.
But since VPN ports remain always open for client connections, attackers can exploit them using various attack methods, with several vectors being quite sophisticated. In this post, you’ll learn why VPNs cannot provide full-on, enterprise-grade security, and what you can do to shore up such shortcomings.
- Some attacks don’t require actual network access but are based on identity theft or endpoint attacks. This enables malware infections and phishing attempts. The Hacker News says, “Some attackers can gain control of your device by injecting malicious software, files, and codes into your system. You might be exposed to malware when you visit unauthorized websites or try to download third-party apps.” And it reports, “[Hackers] create more than 1.4 million phishing sites every month,” for which a VPN provides no protection.
- Moreover, it’s not just the connected device—everything on that device’s network is also given access. When connecting via VPN from an unmanaged personal computer to corporate servers, a user could cause importation of malware that has already infected their PC into the organization’s network. So, whether it’s a piece of malware or a compromised account, there’s nothing to stop attackers from moving laterally across your infrastructure and causing harm.
- In his VPN – a Very Precarious Narrative blog post, software engineer Dennis Schubert writes, “Using a VPN does not protect you against hackers who hijack parts of the internet to read traffic. [It doesn’t] protect you against data breaches on the services you are using.”
- VPNs can securely transport data between endpoints and servers, but that’s about all. It’s decrypted on both ends of the tunnel. Anyone can once again read and modify your data, including the VPN provider.
- Handling connections for thousands of users, a large commercial VPN provider makes a great target for supply chain attacks. All that data is centralized within a single infrastructure maintained by a small number of engineers. Hopefully they’re doing their job correctly and aren’t overburdened.
- VPN hijacking, where an unauthorized user takes over a VPN connection from a remote client.
Attackers heavily exploit VPN vulnerabilities
DARKreading reports, “Threat actors like attacking the technology because [VPNs] provide a convenient entry point to enterprise networks… [they have] increased targeting of remote code execution (RCE) vulnerabilities such as one affecting Oracle WebLogic (CVE-2020-14882) and widespread attacks targeting the ProxyLogon flaws in Microsoft Exchange Server… VPN devices, in addition to other remote access software, are often prioritized as a useful entry point [to] provide threat groups with a stable foothold onto target networks.”
The more organizations depend on VPNs, additional vulnerabilities get exposed; to date that number is 479 as identified in public domain. Most exist due to unpatched VPN versions within hardware, where its firmware has never been updated. In addition to malware injection, other threats include data and identity theft, cyberattacks on internal/external websites and networks, et al.
This research lists these four VPN attack types:
- Man-in-the-middle (MITM) attacks
- Repeated log-in attempts
- Legacy apps (e.g., Putty)
For example, OpenVPN can enable the bypassing of external authentication plug-ins when more than one uses deferred authentication replies. This can grant access to an external user who provides only partially correct credentials. (CVE-2022-0547; This is no longer true of OpenVPN v2.4.12 and v2.5.6.)
Advanced persistent threats (APTs) target VPNs
VPN devices remain at risk. “Cybersecurity researchers from FireEye warn once again that Chinese APT groups continue to target Pulse Secure VPN devices to penetrate target networks and deliver malicious web shells to steal sensitive information,” states Security Affairs. And BankInfoSecurity reports an Iranian group exploited unpatched devices—hitting Fortinet, Pulse Secure, and Palo Alto Networks VPN servers in addition to Citrix remote gateways.
Elsewhere, an APT group exploited a zero-day flaw in FatPipe’s WARP, MPVPN, and IPVPN software products before they were patched.
What happens when an unhappy or greedy team member gets a message from a ransomware gang, offering a reward in exchange for access to enterprise VPN? The screen capture reveals that Lapsus$ has been looking for insiders awarded VPN access to major enterprises. How can you protect your company against this type of insider threat? Certainly not armed with a VPN alone.
Compromised VPN services
The MUO site recommends that no one use these eight VPNs:
- Hola – Allows other Hola users to route their traffic through other users’ PCs. Hola then sold this bandwidth to a third-party service.
- HotSpot Shield – Accused of logging connection details, as well as “intercepting and redirecting traffic to partner websites, including advertising companies.”
- HideMyAss – Keeps traceable logs, as verified by an FBI hacker investigation.
- Facebook Onavo – Facebook’s acquisition collects mobile traffic data to “improve Facebook products and services, gain insights into the products and service people value, and build better experiences.”
- Opera Free VPN – More like a web proxy, this product collects usage data that might be shared with third parties.
- PureVPN – Similar to HideMyAss with respect to user data it maintains.
- VPNSecure – This service contains IP and DNS leaks, along with “egress points” similar to Hola’s “exit nodes.” It’s suspected that user bandwidth might be used without their knowledge.
- Zenmate – Suffers from IP leaks (like HotSpot Shield and PureVPN).
Zero Trust concept
Introduced by a Forrester Research analyst in 2010 and quickly adopted by such vendors as Google and Cisco, Zero Trust is a security model that fortifies the enterprise by removing implicit trust. That is, vulnerabilities often appear when companies are too trusting of individuals or devices. As described, one of the biggest issues with VPNs is that they provide full network access to whoever and whatever is connected.
Zero Trust enforces strict user and device authentication throughout your network. By limiting those parties having privileged access to each network segment or machine within a secure organization, the number of opportunities for hackers to gain access to secure content is greatly reduced.
While Zero Trust authorization is an upgrade on the trust-assumed model, it isn’t perfect. That said, combining a Zero Trust model with a VPN does bolster its effectiveness. The VPN defends remote users when connecting to a corporate network over public Wi-Fi, while Zero Trust protects the corporate data once users are connected. Thus, if an unauthorized user gets VPN access, they wouldn’t be able to access restricted files.
The integrated & isolated VPN client
As demonstrated, VPN alone isn’t sufficient in fully securing remote network access by today’s distributed, hybrid workforce. TalonWork can significantly assist your organization in fully implementing a Zero Trust model simply and without any network alterations.
Providing seamless integration with all common VPN gateways, Talon uses your existing security stack and doesn’t require any additional solution to be installed on your on-prem/IaaS network infrastructure.
Visit our website for more information about the additional security protection TalonWork provides.