The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published technical guidelines on correctly securing VPN servers utilized by organizations to allow employees remote access to internal networks.
According to NSA, these technical guidelines were created after several nations confirmed that advanced persistent threat (APT) actors weaponized vulnerabilities in common VPN servers as a way to breach organizations.
For example, Chinese, Iranian, and Russian state-sponsored groups have been detected exploiting vulnerabilities in Pulse Secure and Fortinet VPNs in campaigns that have taken place between 2019 and 2021.
According to NSA press release:
The exploitation of these CVEs [vulnerabilities] can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.
Rob Joyce, Director of cybersecurity at NSA, has said that the latest guidance from NSA and CISA can help shrink your attack surface.
VPN servers are entry points into protected networks, making them attractive targets. APT actors have and will exploit VPNs – the latest guidance from NSA and @CISAgov can help shrink your attack surface. Invest in your own protection! https://t.co/npBc8Sh9A4
— Rob Joyce (@NSA_CSDirector) September 28, 2021
Various ransomware gangs such as Conti, Ryuk, REvil, DoppelPaymer, LockBit, and several others have been found using VPN servers as their entry points into organizations before increasing access to internal networks and launching their cyberattacks.
Moreover, VPN servers are also being utilized by crypto mining botnets to infiltrate corporate networks and then jeopardize internal systems with hidden cryptocurrency mining software that consumes computing resources for the attackers’ financial profits.
While speaking to The Record, Rob Joyce said:
Exploiting remote-access VPNs can become a gateway to large-scale compromise. We created guidance to help organizations understand what to look for when choosing VPNs and how to configure them to reduce the risk of being exploited. Use these recommendations to verify any VPNs are securely configured.
The technical guidelines, which is expected to receive updates, contains advice on the following topics:
- Recommendations for selecting remote access VPNs
- Instruction about configuring strong cryptography and authentication
- Consultation on overcoming the VPN’s attack surface by running only strictly necessary features
- Direction on protecting and monitoring access to and from the VPN
Recent Cyberattack in the United States:
Iowa-based grain company NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to shut down its system to counter the attack. The BlackMatter group behind the attack has demanded ransom concerning the public as it may affect the supply chain in the US, causing a potential food shortage.
Read more about it here: $5.9 Million Ransomware Attack on a US Farmer Cooperative.