Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/21/2021
09:20 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Heavily Targeting VPN Vulnerabilities

Threat actors like attacking the technology because they provide a convenient entry point to enterprise networks.

Attacks on virtual private networks, like those this week targeting a trio of known vulnerabilities in Pulse Secure appliances, have intensified in recent months along with the increase in remote and hybrid work environments since the outbreak of COVID-19.

The trend requires organizations to patch VPN and other externally facing devices with the highest priority, says a new report from Digital Shadows.

The report, based on an analysis of vulnerability activity in first quarter of 2021, highlights other threats as well, including increased targeting of remote code execution (RCE) vulnerabilities such as one affecting Oracle WebLogic (CVE-2020-14882) and widespread attacks targeting the ProxyLogon flaws in Microsoft Exchange Server.

Related Content:

VPNs: The Cyber Elephant in the Room

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

 

"[VPNs] continue to be targeted by a plethora of threat groups, which will almost certainly continue for the remainder of 2021," says Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows. "VPN devices, in addition to other remote access software, are often prioritized as a useful entry point that can provide threat groups with a stable foothold onto target networks."

The threat intelligence firm's analysis of vulnerability activity in the first quarter of this year shows cyber adversaries are actively targeting VPN vulnerabilities, more so than most other attack avenues, to break into enterprise networks. VPN accesses were among the top three access types listed for sale on cybercriminal forums last quarter, Digital Shadows says.

According to the firm, attackers targeted vulnerabilities in a range of VPN appliances, including one in the Fortinet FortiGate VPN (CVE-2018-13379) and an older, previously patched flaw in Pulse Connect Secure VPN (CVE-2019-11510). Both the Fortinet and Pulse VPN appliances were the subject of a joint advisory last week from the National Security Agency (NSA), FBI, and the Cyber Security & Infrastructure Security Agency (CISA). The advisory warned US organizations of Russia's Foreign Intelligence Services (SVR) — the actor behind the SolarWinds attack — actively targeting the VPN flaws and flaws in three other products.

"Easily identifiable public-facing infrastructure will always garner significant attention from advanced actors," Morgan says, pointing to the attacks that targeted Pulse Secure VPNs this week. The attacks — by multiple threat groups, including one believed to have links to the Chinese government — have affected several organizations within the US defense industrial base and other sectors. Researchers are currently tracking as many as 12 separate malware families targeting vulnerabilities in Pulse Secure VPNs. Patches have been available for some time for all three of the vulnerabilities in Pulse Secure VPNs that are being attacked.

Thousands of Attacks
Meanwhile, other significant threat activity that Digital Shadows observed last quarter included heavy targeting of RCE flaws and a barrage of attacks aimed at ProxyLogon, a set of four critical vulnerabilities in Exchange Server, which Microsoft disclosed in March.

"Tens of thousands of companies worldwide were impacted by exploiting and chaining of the four zero-day vulnerabilities," Morgan says. "Our observation of this particular set of bugs includes a diverse set of threat groups, including both nation-state and cybercriminal actors."

The sheer scope of the attack activity highlighted both the ease with which the now-patched vulnerabilities could be exploited and the multiple potential courses of action available to an attacker after successful exploitation, he says.

A major concern related to the attacks was the strategy by one hacking group to deploy malicious Web shells on compromised Exchange Server systems so they could maintain a persistent presence on them. Concerns over the Web shells on US systems were so high that a court authorized the FBI to remove the shells from systems on which they have been deployed, including those belonging to private companies.

"While active exploitation of the bugs will likely subside in the aftermath of companies updating their servers, there is a distinct possibility that advanced groups could have created other avenues of approach and entry points onto targeted networks," Morgan warns. Last week, CISA updated its original guidance around the flaws, which suggests that Exchange Servers are still being compromised via these bugs even though a vast majority of vulnerable systems have been patched, he says.

Digital Shadows' first-quarter threat analysis shows that RCE flaws were the most commonly exploited flaws, just as they were in the fourth quarter of 2020. Twenty-three percent of attacks involved RCE exploits in the first quarter. The most likely reason for attackers targeting this class of vulnerabilities, according to Digital Shadows, is that they enable a wide range of malicious activities.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...