VPN Hacks Are a Slow-Motion Disaster

This year has seen no scarcity of blockbuster hacks, from the SolarWinds provide chain meltdown to China’s blitz towards Microsoft Trade servers. It’s quite a bit. However the outsized give attention to these hacking sprees obscures one other risk that has constructed steadily within the background for years, with no clear decision in sight: the sustained assault on digital non-public networks.

The latest example of a VPN meltdown we’re talking corporate connections, not your personal setup is among the most dramatic. Security firm FireEye this week revealed that it had found a dozen malware families, spread across multiple hacking groups, feasting on vulnerabilities in Pulse Secure VPN. The victims spanned the globe and ranged across the usual high-value targets: defense contractors, financial institutions, and governments. The attackers used their perch to steal legitimate credentials, improving their chances of gaining access that’s both deep and sustained.

News broke on May 3, 2021, that a third-party security firm called FireEye had found four major issues present in VPNs set up by tech vendor Pulse Secure. The vulnerabilities included the following:

    CVE-2019-11510                CVE-2020-8243

    CVE-2020-8260                  CVE-2021-22893

The last of these is considered to be the most serious and, according to Security Week analysts, could allow unauthenticated, remote code execution attacks that come through licensed server web services. Most experts interpret the attack as being executed by advanced threat actors, and the way in which it is carried out means that users may never see it coming.

There appear to be two threat groups, the first of which is UNC2630 and has been linked to the Chinese government and tracked as APT5. The second is UNC2717, which is not currently linked to a known entity or threat group. Both of these have targeted defense or government agencies, which is yet another compelling reason that the U.S. government is using resources like the Attila Security telework kit to provide better security for remote workers.

VPNs used to typically rely on a set of protocols known as Internet Protocol Security, or IPsec. While IPsec-based VPNs are considered secure and reliable, they can also be complicated and clunky for users. In recent years, as remote work expanded then exploded, more and more VPNs have been built instead on ubiquitous encryption technologies known as secure sockets layer and transport layer security. The distinctions descend rapidly into weeds, but essentially SSL/TLS VPNs made logging onto your company’s network much more seamless—the difference between merging onto the interstate in a minivan versus a Miata.

“That was a big step for convenience,” says Vijay Sarvepalli, a senior security solutions architect with the CERT Coordination Center at Carnegie Mellon University. CERT helps catalog vulnerabilities and coordinate their public disclosure. “When they designed those things, the risks were not yet considered. It’s not impossible to protect these, but people are not prepared to monitor and respond quickly to attacks against them.”

In many cases, hardware-based VPNs can provide better security, are easier to use, and require less maintenance than their software-based counterparts.A software-based VPN is achieved by downloading software on each end user device that needs to connect to the network, as well as installing software on the central network to which those devices will need to connect. Software-based VPNs will encrypt data that is transmitted between the end user device and the main network. 

Hardware-based VPNs are typically physical devices that connect to an end user device and, when coupled with software installed at the server side within the main network, encrypt communication between the two.In addition, hardware-based VPNs can typically offer firewall functionality to users as well.