Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

End of Bibblio RCM includes -->
6/14/2021
07:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

VPN Attacks Surged in First Quarter

But volume of malware, botnet, and other exploit activity declined because of the Emotet botnet takedown.

Attacks against virtual private network (VPN) products from Fortinet and Pulse Secure surged dramatically in the first quarter of 2021 as threats actors tried to take advantage of previously disclosed vulnerabilities that organizations had not patched.

Log data collected by Nuspire from thousands of devices at customer locations show attacks against Fortinet's SSL-VPN increased 1,916% from the beginning of the quarter as threat actors tried to exploit a path traversal vulnerability in the technology (CVE-2018-13379) that could allow unauthenticated attackers to download files. Attacks targeting Pulse Connect Secure VPNs, meanwhile, jumped 1,527% during the same period as adversaries went after an arbitrary file disclosure vulnerability in the product (CVE-2019-11510) with a maximum possibility severity rating of 10.

Related Content:

Attackers Heavily Targeting VPN Vulnerabilities

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

Both vendors issued patches for the flaws in their respective products a long time ago, and security analysts have for some time been warning of high adversary interest in the vulnerabilities. As far back as January 2020, for example, Tenable had warned of threat actors leveraging the Pulse Connect Secure flaw to distribute the Sodinokibi ransomware strain. In April, the NSA, FBI, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) identified Russia's Foreign Intelligence Service (SVR) as targeting the Fortinet and Pulse Secure VPN flaws in attacks against US and allied networks.

Jerry Nguyen, director of threat intelligence and rapid response at Nuspire, says the large spike in activity targeting VPN devices in Q1 2021 had to do with organizations not patching these vulnerabilities despite previous warnings.

"The US CIRT released a number of reminder alerts that attackers were looking at these VPNs and people should patch," Nguyen says. "The biggest thing we are seeing with VPNs [is that] everyone is looking at the endpoint and not the perimeter when they need to look at both."

Other vendors, such as Digital Shadows, have reported a similar heightened attacker interest in VPNs, especially after the COVID-19 outbreak and the subsequent shift to a more distributed work environment. One reason for the interest is the broad access that a compromised VPN appliance can provide an attacker, analysts have noted.

According to Digital Shadows, threat actors targeted vulnerabilities in a range of VPN devices — including Fortinet and Pulse Secure devices — in the first quarter of the year.

"The key point is that if a VPN is vulnerable — regardless of the vendor — threat actors will find a way to exploit it and monetize it," says Sean Nikkei, senior cyberthreat intel analyst at Digital Shadows. "Adversaries know that people are slow to patch despite public warnings, so they will continue attacking vulnerable endpoints as long as it proves fruitful."

Nikkei says that Digital Shadows has seen evidence of threat actors exploiting vulnerabilities in VPN products from other vendors as well.

Decline in Other Malicious Activity
Ironically enough, the sharp increase in VPN attacks came amid an overall decrease in malware, botnet, and other types of exploit activity. Nuspire's analysis of threat data from the first quarter of 2021 showed malware activity declining by more than 54% compared with Q4 2020. Vulnerability exploit activity — other than that targeting VPNs — dropped nearly 22% compared with the previous quarter, while botnet activity declined by some 11%.

Nguyen says the relatively sharp drop in malware, exploit, and botnet activity had to do with law enforcement's takedown of the massive Emotet operation in January.

"Emotet has consistently been one of the top trending malwares in our threat reports, and it created a vacuum when shut down," Nguyen says.

It's quite likely, however, that the lull was temporary and that malware, exploit, and botnet activity trended upward once again last quarter.

"I would expect another malware family, such as TrickBot, potentially to begin to trend more or a new malware variant take over," Nguyen says. "Threat actors will not just stop distributing malware. They will adapt and move on to something new."

Josh Smith, security analyst at Nuspire, says enterprise organizations must pay close attention to remote access security involving VPNs and Microsoft's Remote Desktop Protocol — another favorite attacker target. Both technologies give threat actors broad access to a network for deploying ransomware, he says. Organizations must monitor their technology stack and ensure they are applying security patches as soon as possible. Multifactor authentication (MFA) is also vital, he says.  

"End users may find it frustrating to have to enter MFA codes, but if credentials are leaked that allow access to a remote service, MFA can be the difference between a successful breach or stopping a threat actor’s access," Smith says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-10072
PUBLISHED: 2023-02-04
A vulnerability classified as problematic was found in NREL api-umbrella-web 0.7.1. This vulnerability affects unknown code of the component Flash Message Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.8.0 is able to address this...
CVE-2018-25079
PUBLISHED: 2023-02-04
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3...
CVE-2023-0671
PUBLISHED: 2023-02-04
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.
CVE-2023-24806
PUBLISHED: 2023-02-04
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2013-10017
PUBLISHED: 2023-02-04
A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recom...