The Fragile State of Corporate VPN Security
Different layers of VPN vulnerabilities
Despite the seemingly solid reputation, VPNs are not impenetrable – and never have been. Corporate or not, most services can fall prey to both technical vulnerabilities and social engineering attacks.
Let’s dive into the details of stolen VPN logs, file system vulnerabilities, as well as the increasingly popular (and highly effective) phishing attacks.
Social Engineering Attack Vector
The switch to remote work has been a gold mine for ingenious social engineers who, in the past few months, developed sophisticated voice phishing attack methods to penetrate corporate networks.
Although initially targeted at small companies, the focus has now shifted towards large-scale businesses in the finance, telecom, and social media industries.
A level-up from the email phishing attacks, bad actors now use phone communication to convince a victim to give VPN credentials. The goal is to gain access to valuable assets: tools, social media accounts, and any other resource that can be cashed out.
Because the cashing out part is usually quite tricky, the attackers often work for hire. They target a specific company and find a hole in its security. These kinds of intrusions involve gathering valuable and confidential information (code, backups, user data, etc.), as well as creating back-doors that allow access to the system in the future.
How It’s Done
The target is usually the recent hires. It’s not uncommon for new employees to be confused about the procedures of their company, which is why they are the most susceptible to deception.
Two or more attackers are working in tandem to obtain VPN credentials and get inside the system. One of them calls an employee and impersonates someone from the IT department. The other is waiting until the credentials are exposed to instantly use them in case a time-sensitive code is in place.
The fake story is simple: the “IT guy” is also a new hire, and he or she needs to troubleshoot some sort of an issue with the VPN network, hence the hassle. But in itself, it doesn’t sound particularly believable.
Attackers use vague words in conjunction with company-specific details (like tools and technology) to make an impression of actually working inside the company. On top of that, a fake LinkedIn/Slack/etc. profile is used as a “proof” that a person is indeed real and connected with other employees (which is easy enough to achieve when dealing with a large corporation).
Even failed attempts to convince a real employee to give out their credentials bring results. The attackers get to hear company lingo and pick up on essential details through the conversation, thus creating a more believable story for the next victim.
At some point, someone falls into the trap. Depending on the company’s business VPN authentication policy, the credentials are being asked either via phone or through a fake website form.
The attackers create a domain name that combines a company’s name with the word “employee”, “helpdesk” or similar, so the result looks like this: “helpdesk-att(dot)com”.
Inside, there is a simple form. It is styled just like the real one would be, with links to the company’s actual resources creating an even stronger impression of legitimacy. There are usually fields to enter credentials, as well as security codes in case of two-factor authorization.
Fake websites are only live when an attack is in progress, making takedown requests unlikely to succeed. Registrars refuse to block these websites because, at the time of the complaint, they are offline and not doing anything malicious.
Finally, when the credentials (and possibly security code from the phone) are entered, the second attacker rushes to use the given information to login as an employee and either create a long enough session or add other ways of accessing the account.
Most of the time, the attack involves some sort of data extraction, be it credentials, sensitive data, source code, etc. The key consideration is being invisible. These days, it’s become particularly easy.
For example, an Iranian group called Oilrig uses DNSExfiltrator, which is an open-source tool to hide data transferring activity from the network completely.
Instead of transferring data via the standard HTTP protocol (that can be easily monitored), it employs the DNS protocol (normally used to find a domain name of an IP address).
But DNS sends data in clear text, so the attackers are likely using DNS over HTTPS (DoH), which uses HTTPS encryption on the DNS protocol data, making it much harder to see.
This basic method allows hackers to transfer the data within the internal system (and outside of it) without getting noticed, which is an uncomfortable realization. Therefore, it’s very much preferred to never let attackers penetrate your system.
The Weak Points of Business VPNs
Human factor is the ultimate exploit. It always has been – especially in large enterprises. But accounting for every possible way things can go wrong is not an easy challenge.
The common approach is to conduct personnel training: educate employees about security and phishing schemes, as well as inform them about the company’s processes. Some corporations even go as far as fake phishing attacks to test how prepared the employees actually are.
The method works, but only to an extent. With complex social engineering attacks, the details can be so sophisticated that no amount of preparation will help.
Identifying the Root Cause
Instead of trying to prevent the symptoms, it’s important to find their cause. In this case, the cause is multi-factor authentication, which is not a reliable protection mechanism.
It doesn’t even matter how complex the authentication scheme is. If the details can be passed on from person to person by using, well, a human language, it gives a perpetrator plenty of ways to obtain and abuse the information.
A better way of handling VPN authentication would be to implement a Universal 2nd Factor (U2F) authentication in the form of a USB key. These work similarly to a physical key, tailored to a specific service. Nothing will happen unless a user inserts the key into the USB port and presses a button that triggers authentication.
Regardless, many companies are hesitant to employ this mechanism.
Technological Attack Vector
Now, even if your employees aren’t the target, your technology can be. The server and network security is a complex field with plenty of room for error with constantly emerging vulnerabilities. Some are caused by negligence, while others are just bugs or logic errors that nobody thought of before they got discovered.
Speaking of negligence, a large scale of operations complicates the security aspect a fair bit. In 2018, NordVPN’s insecure third-party server with a remote management vulnerability was broken into and a TLS certificate for user authentication got stolen. Thankfully, the certificate was expired.
Another example is a family of VPN services from Hong Kong (UFO VPN, FAST VPN and the likes). The log files of their users (that weren’t supposed to exist in the first place) were publicly accessible due to an API endpoint that required no authentication. “A human error,” claimed UFO VPN, but one that leaked VPN passwords and other usage information of millions of users.
Pulse Secure VPN Breach
A more serious example has to do with the CVE-2019-11510 vulnerability in the Pulse Secure business VPN product that was used to obtain a wide array of sensitive user information from over 900 servers. SSH keys, admin details, plaintext usernames and passwords, VPN session cookies – the list goes on and on.
The same vulnerability was used a few months prior against several companies including the currency exchange provider Travelex. The hackers injected ransomware into the systems, which, in the case of Travelex, forced the company to resolve to manual operation.
Details of the Most Recent Breach:
The attackers are assumed to have scanned the entire IPv4 address space (4+ billion of IP addresses) for vulnerable Pulse Secure VPN servers that didn’t apply the security patch.
They then used the CVE-2019-11510 vulnerability to gain access to the systems and collected any and all information that they could find.
What is CVE-2019-11510?
Made public in 2019 and patched in April of the same year, CVE-2019-11510 is an arbitrary file disclosure vulnerability. Pulse Secure SSL VPN versions 8.1R15.1, 8.2, 8.3, and 9.0 are affected.
The vulnerability makes it possible to read the user data from the following file: /data/runtime/mtmp/lmdb/randomVal/data.mdb. In simpler terms, an unauthenticated attacker can send a specific URI to a server and get VPN session IDs of active users, admin privileges, and even execute arbitrary commands.
As of August 2020, more than 600 servers are still susceptible to the CVE-2019-11510 exploit.
The logistical demands of remote work combined with various third-parties accessing the services lead to a plethora of new vulnerabilities and attack vectors.
The complexity of internal networks and tools has been steadily rising, but companies aren’t as eager to spend dollars on securing the tools as they are on developing them. The same goes for preventive mechanisms overall, including the ones against social engineering attacks.
In order to decrease the risk of a business VPN network breach, a number of aspects should be considered: monitoring, access and privilege control, staff training, up-to-date tools, good security design, and policies – everything should work in tandem otherwise the whole system might collapse.