In the wake of the pandemic, there has been a swift integration of digital solutions by global businesses, notably Virtual Private Networks (VPNs). These VPNs enable users to establish secure, encrypted connections with the internet, facilitating remote work while maintaining a secure environment. Nevertheless, the compromise of a VPN connection opens avenues for threat actors to infiltrate secluded networks.
Contents
- A Securin Perspective
- Exposed: Threats to VPN & Remote Access
- Stealth Intruders: Nation-State Cyber Threats
- Ransomware Rampage
- Vulnerability Spotlight: MITRE ATT&CK Analysis
- Unlocking the Code: Weaknesses Behind RCE/PE Exploits
- CISA and NSA Guidance towards Selecting and Hardening Remote Access VPNs
- What Do We Recommend?
A Securin Perspective
A comprehensive analysis of vulnerabilities affecting Virtual Private Networks (VPNs), evolving from a focus on eight vendors and 147 vulnerabilities in 2020, to an expansive review of over 560 products across 78 vendors in 2024, uncovered a total of 1,796 vulnerabilities, an 875% surge!
Exposed: Threats to VPN & Remote Access
Our research underscores a disconcerting reality: 11.3% (204) of the total vulnerabilities have already been weaponized by attackers. Furthermore, Advanced Persistent Threat (APT) groups, including notorious entities such as APT 32, APT 33, Fox Kitten, Sandworm Team have known associations to 26 of these vulnerabilities, while ransomware groups like Sodinokibi, REvil, LockBit, Maze, and Pay2Key, are capable of exploiting 16 vulnerabilities, underscoring the sophisticated and organized nature of the threat landscape, signaling an urgent call to action for cybersecurity measures.
Stealth Intruders: Nation-State Cyber Threats
State-sponsored threat groups are known to target intellectual property and critical industry sectors. We have observed APT groups leveraging vulnerabilities in VPN and secure access devices due to the critical roles they play in being gateways to sensitive, confidential, and operationally critical information that safeguards the digital perimeters of organizations worldwide. Such high-value targets are selected with intentions varying from disinformation, propaganda, espionage, to destructive cyber attacks, in order to establish a competitive advantage over the target nation.
Our focused research shows that VPN vulnerabilities have been leveraged by cyber actors predominantly from China (7), Iran (7), and Russia (4). China, Russia and Iran are linked to the most number of threat groups, with the former two nations together accounting for almost 63% of all known groups.
Ransomware Rampage
Ransomware groups, like nation-state threat actors, have wreaked havoc on VPNs through 2020 to 2024, with 7.8% of the weaponized vulnerabilities.
Securin researchers also spotlighted a select set of nine vulnerabilities that have both APT and Ransomware associations.
VPN Vulnerabilities with APT and Ransomware Associations | ||||
CVE |
APT Associations |
Ransomware Associations |
Vendor |
Affected Products |
CVE-2023-3519 |
2 |
2 |
Citrix / NetScaler ADC |
8 |
CVE-2021-22986 |
1 |
1 |
BIG-IP |
73 |
CVE-2021-20016 |
2 |
2 |
Microsoft |
6 |
CVE-2020-12812 |
1 |
2 |
Fortinet |
3 |
CVE-2020-5902 |
3 |
2 |
F5 |
84 |
CVE-2019-19781 |
8 |
12 |
Citrix |
10 |
CVE-2019-11539 |
2 |
2 |
Pulse Secure |
97 |
CVE-2019-11510 |
7 |
7 |
Pulse Secure |
37 |
CVE-2018-13379 |
10 |
8 |
Fortinet |
2 |
The Fox Kitten APT group has exploit methods for the last five above-mentioned vulnerabilities that exist in popular VPNs such as Pulse Secure, F5, Fortinet and Palo Alto, while the Pay2Key ransomware group is associated with four.
A standout concern are CISA KEV vulnerabilities, CVE-2018-13379 in FortiOS, targeted by 10 APT groups and eight ransomware groups, and CVE-2019-19781, targeted by eight APT groups and 12 ransomware, emphasizing the critical need for immediate mitigation.
Vulnerability Spotlight: MITRE ATT&CK Analysis
Delving into exploit kits, among the 204 weaponized vulnerabilities, 91 are automatable, 46 serve as initial access vectors, and 30 necessitate a full killchain for maximum impact. The implication is profound: automatable vulnerabilities pose a severe threat to VPN products across vendors, requiring no user interaction or privileges. With 22.5% of weaponized vulnerabilities providing initial access, those with a full killchain can disrupt organizational data, leading to economic losses and impacting public well-being, with potential downtimes of a week or more.
Unlocking the Code: Weaknesses Behind RCE/PE Exploits
We observed a total of 166 weaknesses in code, giving rise to the 1,796 vulnerabilities identified in our study, with 43 weaknesses that lead to RCE/PE exploits. The most prominent weaknesses affecting RCE/PE exploits are CWE-78, CWE-264 and CWE-119. It’s interesting to note that CWE-264 (Category: Permissions, Privileges and Access Controls) is now an obsolete weakness and has been turned into a category. Furthermore, being devices designed specifically for securing access, it is ironic that four of the top 10 RCE/PE weaknesses affecting VPNs are related to permissions, privileges and access controls.
Interestingly, CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)) and CWE-20 (Improper Input Validation), ranked second and sixth on the MITRE’s 2023 Top 25 Software Weaknesses list, rule the roost for most common weaknesses affecting VPN products. Our findings highlight the gap in programming code that makes VPN and Remote Access products more prone to RCE/PE exploits, something that developers ought to capitalize on to make them more secure.
CISA and NSA Guidance Towards Selecting and Hardening Remote Access VPNs
The NSA and CISA put out an advisory in 2021, encouraging organizations to select standards-based VPNs from reputable vendors and harden the VPNs against compromise by reducing their attack surface through strong cryptography and authentication as well as monitoring access to and from VPNs. In 2023, CISA further enforced their stance on VPNs by issuing a binding operational directive towards mitigating risks posed by internet-facing management interfaces.
Since mid-January 2024, CISA has put out a flurry of advisories towards protecting VPNs, with the latest emergency directive being released in early February, after 1700 organizations fell victim to a campaign by an unknown Chinese APT group. The directive mandated that organizations disconnect old VPNs that were not upgradeable and take proactive measures towards maintaining full compliance for reduced intrusions.
What Do We Recommend?
- Adopt regular attack surface management to discover vulnerabilities exposing your network.
- Look beyond just direct VPN deployments and consider all assets for any indirect communication with exposed VPNs.
- Monitor overall organizational asset ecosystem to ensure no other attack vectors, like misconfigured assets, are allowed to link to the VPN vulnerabilities, avoiding an attack chain to compromise the entire network.
- Adhere to the recommended mitigations from your VPN vendor and remediate frequently.
- Transition towards a threat-informed patching protocol to address high-impact vulnerabilities immediately in order to avoid leaving your network vulnerable to infiltration.
- Cultivate a security-conscious workforce for an extra line of defense and to stay safe from social engineering attacks.