{"id":7255,"date":"2022-08-18T08:26:50","date_gmt":"2022-08-18T08:26:50","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7255"},"modified":"2023-04-05T12:27:31","modified_gmt":"2023-04-05T19:27:31","slug":"how-safe-is-your-vpn","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/how-safe-is-your-vpn\/","title":{"rendered":"How Safe Is Your VPN?"},"content":{"rendered":"

Did you know hackers can exploit 125 weaponized vulnerabilities in VPN products to attack their targets?<\/strong><\/p>\n

 <\/p>\n

Virtual Private Networks (VPNs) are widely used solutions that allow users to establish a secure encrypted connection with the internet, allowing them to work from anywhere in a secure manner. The usage of VPNs saw a surge, especially during the pandemic when the world\u2019s workforce was working remotely.<\/p>\n

When this \u201csecure\u201d connection is compromised, it allows threat actors to access secluded networks, perform data exfiltration, and install payloads and other sophisticated tools, resulting in ransomware attacks.<\/p>\n

 <\/p>\n\n\n\n\n
\n

Popular VPN breaches<\/em><\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

In 2020<\/a>, our researchers investigated eight popular vendors and found 147 vulnerabilities in VPN products. This year, we have broadened our scope to investigate 71 vendors and the vulnerabilities that exist within their products.<\/p>\n

Top 5 Findings<\/h2>\n
    \n
  1. \n

    Our analysis of 430 unique VPN products offered by 71 vendors identified 1,281 vulnerabilities across them.<\/p>\n<\/li>\n

  2. \n

    Attackers have already weaponized 10% of these vulnerabilities.<\/p>\n<\/li>\n

  3. \n

    APT groups have associations with nine of these vulnerabilities, and ransomware groups have the means to exploit eight of them. Notable names are APT 29, APT 33, and Fox Kitten APT groups, and Conti, REvil, LockBit, and Pay2Key ransomware groups.<\/p>\n<\/li>\n

  4. \n

    CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog lists 2.4% of these vulnerabilities.<\/p>\n<\/li>\n

  5. \n

    Popular scanners such as Nessus, Nexpose, and Qualys are not detecting 23% of the vulnerabilities in VPNs.<\/p>\n<\/li>\n<\/ol>\n

    This blog explores the findings from our research into VPN vulnerabilities.<\/strong><\/p>\n

    <\/h2>\n

    Vulnerability Prioritization<\/h2>\n

    \"\"<\/p>\n

    Our investigation brought to the forefront 1,281 vulnerabilities in 430 unique VPN products.<\/p>\n

     <\/p>\n

    Today, attackers are not only developing sophisticated techniques to exploit networks but are also willing to share the knowledge with their counterparts. This being the case, a vulnerability, once weaponized, becomes a permanent open attack vector that attackers can exploit whenever they choose to.\u00a0<\/strong><\/p>\n

     <\/p>\n

    Our research shows that the weaponized vulnerabilities are ripe for exploitation. Notably, 117 VPN vulnerabilities are trending in the deep and dark web, which is a sure sign that attackers are constantly tracking exposed assets for these vulnerabilities.<\/p>\n

     <\/p>\n

    APT and Ransomware Associations:<\/strong> Of particular concern are 12\u00a0vulnerabilities that have associations with APT or ransomware groups, with 5 of these having both associations. These vulnerabilities are particularly dangerous owing to the magnitude of the impact caused when exploited. From data theft to sensitive data leaks and data encryption to ransom demands, the stakes are high, affecting brand reputation and business continuity.<\/p>\n

     <\/p>\n

    Let us look at the vulnerabilities with both APT and ransomware associations.<\/p>\n\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n
    \n

    CVE<\/p>\n<\/th>\n

    		\n

    APT Associations<\/p>\n<\/th>\n

    		\n

    Ransomware Associations<\/p>\n<\/th>\n

    		\n

    Vendor<\/p>\n<\/th>\n

    		\n

    Affected Products<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

    \n

    CVE-2019-11510<\/p>\n<\/td>\n

    		\n

    7<\/p>\n<\/td>\n

    		\n

    7<\/p>\n<\/td>\n

    		\n

    Pulse Secure<\/p>\n<\/td>\n

    		\n

    37<\/p>\n<\/td>\n<\/tr>\n

    \n

    CVE-2019-11539<\/p>\n<\/td>\n

    		\n

    2<\/p>\n<\/td>\n

    		\n

    2<\/p>\n<\/td>\n

    		\n

    Pulse Secure<\/p>\n<\/td>\n

    		\n

    135<\/p>\n<\/td>\n<\/tr>\n

    \n

    CVE-2020-5902<\/p>\n<\/td>\n

    		\n

    3<\/p>\n<\/td>\n

    		\n

    2<\/p>\n<\/td>\n

    		\n

    F5<\/p>\n<\/td>\n

    		\n

    84<\/p>\n<\/td>\n<\/tr>\n

    \n

    CVE-2018-13379<\/strong><\/span><\/p>\n<\/td>\n

    		\n

    9<\/strong><\/span><\/p>\n<\/td>\n

    		\n

    5<\/strong><\/span><\/p>\n<\/td>\n

    		\n

    Fortinet<\/strong><\/span><\/p>\n<\/td>\n

    		\n

    2<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n

    \n

    CVE-2019-1579<\/p>\n<\/td>\n

    		\n

    5<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n

    		\n

    Palo Alto<\/p>\n<\/td>\n

    		\n

    3<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    The Fox Kitten APT group has exploit methods for all the above-mentioned vulnerabilities that exist in popular VPNs such as Pulse Secure, F5, Fortinet and Palo Alto, while the Pay2Key ransomware group is associated with four. Other noteworthy threat groups are the APT 29 and APT33, and the notorious Conti and REvil ransomware players.<\/p>\n

    \n

    A notable callout is CVE-2018-13379 in FortiOS, targeted by nine APT groups and five ransomware groups. This CVE is also a part of CISA KEVs. An attacker who exploits this vulnerability can download system files via specially crafted HTTP requests without authentication.<\/p>\n<\/blockquote>\n

    Organizations must pay attention to these vulnerabilities and ensure they are remediated immediately lest their VPNs are used as entry points for claiming a strong foothold on target networks.\u00a0<\/strong><\/p>\n

    <\/h2>\n

    Analyses of Severity Ratings<\/h2>\n

    Critical and high severity vulnerabilities are deemed severe as they can be highly impactful if exploited, thus warranting immediate attention. Of the VPN vulnerabilities, 57.5% fall under this category.<\/p>\n

     <\/p>\n

    \"\"<\/p>\n

    While the count of critical and high severity vulnerabilities is overpowering, we should not forget that low and medium severity ones are dangerous too. These are attackers\u2019 trump cards, as they mostly go unnoticed in the flurry of vulnerabilities to be patched. After all, a single unguarded vulnerability, however inconsequential as it might seem, is sufficient for attackers to dig their way through vulnerable networks.<\/p>\n

     <\/p>\n

    We highlight four medium severity vulnerabilities with APT and ransomware associations and CISA\u2019s warning, reiterating the above. Our score assigns a higher rating to these vulnerabilities, reflecting their threat context and exploit impact.<\/p>\n\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
    \n

    CVE<\/p>\n<\/th>\n

    		\n

    Vendor<\/p>\n<\/th>\n

    		\n

    NVD\u2019s Score<\/p>\n<\/th>\n

    		\n

    Securin\u2019s Score (on 10)<\/p>\n<\/th>\n

    		\n

    Securin\u2019s Rating<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

    \n

    CVE-2017-12319<\/p>\n<\/td>\n

    		\n

    Cisco<\/p>\n<\/td>\n

    		\n

    5.9 (medium)<\/p>\n<\/td>\n

    		\n

    7.23<\/p>\n<\/td>\n

    		\n

    High<\/p>\n<\/td>\n<\/tr>\n

    \n

    CVE-2018-13383<\/p>\n<\/td>\n

    		\n

    Fortinet<\/p>\n<\/td>\n

    		\n

    6.5 (medium)<\/p>\n<\/td>\n

    		\n

    8.34<\/p>\n<\/td>\n

    		\n

    High<\/p>\n<\/td>\n<\/tr>\n

    \n

    CVE-2019-11507<\/p>\n<\/td>\n

    		\n

    Pulse Secure<\/p>\n<\/td>\n

    		\n

    6.1 (medium)<\/p>\n<\/td>\n

    		\n

    8.1<\/p>\n<\/td>\n

    		\n

    High<\/p>\n<\/td>\n<\/tr>\n

    \n

    CVE-2020-8195<\/p>\n<\/td>\n

    		\n

    Citrix<\/p>\n<\/td>\n

    		\n

    6.5 (medium)<\/p>\n<\/td>\n

    		\n

    7.73<\/p>\n<\/td>\n

    		\n

    High<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    <\/h2>\n

    Latency Analysis<\/h2>\n

    One of the key findings from this research is that attackers are taking advantage of the NVD latency by weaponizing vulnerabilities even before anyone knows their existence. Since they are not on the NVD, the scanners will not be picking these vulnerabilities, giving attackers a free pass to exploit and breach.<\/strong><\/p>\n

      \n
    • \n

      Of the 74 CVEs with known exploits, 48 (65%) were exploited before publication in the NVD.<\/p>\n<\/li>\n

    • \n

      Threat actors targeted eight CVEs with exploits published before they were added to the NVD.<\/p>\n<\/li>\n<\/ul>\n

      This means that 65% of the vulnerabilities were exploited even before organizations were made aware of the presence of the vulnerability. How can organizations protect themselves against threats that they do not know exist?<\/p><\/blockquote>\n

      <\/p>\n

      Another noteworthy observation is that five of the vulnerabilities in VPNs were weaponized before a patch could be released for them. This falls under the most dangerous scenario where attackers exploit vulnerabilities that do not have official fixes.<\/p>\n

       <\/p>\n

      The workaround for this problem is to predict vulnerabilities that hackers find easy to weaponize. Securin\u2019s threat intelligence platform VI uses predictive AI and ML models to predict the probability of weaponization. This data allows us to warn our customers early in the game.<\/strong><\/p>\n

       <\/p>\n

      Vulnerabilities on Attackers\u2019 Radar<\/h2>\n

      Vulnerabilities with a high likelihood of exploitation: <\/strong>Our early warning predictive analytics assesses vulnerabilities from an attacker\u2019s mindset. Based on hacker chatter and activities on the internet, our researchers have highlighted 18.2% of the identified vulnerabilities as having the highest chances of exploitation.<\/p>\n

       <\/p>\n

      Our analysis also points to 11 vulnerabilities with a high likelihood of exploitation that could soon reach the warning threshold. Organizations must closely watch this subset, as attackers are weaponizing vulnerabilities at an alarming pace today.<\/p>\n

       <\/p>\n

      We highlight the top 10 weaponized VPN vulnerabilities prioritized by our researchers.<\/p>\n