VPN Vulnerabilities Make them Not So Private Anymore
VPN Vulnerabilities Make them Not So Private Anymore
Our economy, government, work, and personal lives are all connected. Vulnerabilities are also allowing adversaries, agents of espionage, and malicious actors to traverse what we believe are our private digital paths and networks. Just when we were burnt out from SolarWinds our security and IT staff are pushing to get PulseSecure and other VPN vulnerabilities patched and follow the mitigation advice for the current zero day exploit.
RiskSense sounded the alarm on the heightened use and exploitation of remote access technologies a year ago in April 2020. Here we highlighted the surging remote access technology exploits. Why is this still a persistent problem to get organizations to take action to block this exposure?
The one impossible task of keeping everything patched and up to date is not the goal of vulnerability management. However, when realistic and achievable tasks are identified from data-driven intelligence, risk-based vulnerability management puts in place the vulnerable assets that should be immediately remediated. Maybe the external context of how these exploits are actively being used is missing?
Alerts, especially from government sources: Exploitation of Pulse Connect Secure Vulnerabilities, should cause the associated vulnerabilities to elevate to the highest priority in your organization. The digital doors to our organizations are VPNs and need critical priority for vulnerability remediation.
VPN solutions, some more than others, have a history of vulnerabilities:
“Over the past two years, Pulse Secure parent company Ivanti has released patches for a series of Pulse Secure vulnerabilities that not only allowed remote attackers to gain access without a username or password but also to turn off multi factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text” (Ars Technica)
The usage of VPNs has increased the world over. Most organizations use VPNs to keep their work secure and to safeguard their data from breaches. CSW research analyzed 147 vulnerabilities inherent in VPN solutions from 2010 to 2020 (February) and these are the results. (CSW)
Risk-based vulnerability management delivers the details for patching and gives the data needed to prioritize the trade-off between patching or migrating to the next version of software that removes this risk. But context is everything in these decisions. Beyond there being a weaponized exploit, how and what groups are actively using these vulnerabilities in their attacks?
With work from home there was an expanding ransomware risk toward the tools that help organizations continue with their business. RiskSense ransomware research saw ransomware move toward VPN solutions and leverage these vulnerabilities in our review of 2020 data:
“…many devices and applications used by the world’s remote workforce have vulnerabilities that open the door to ransomware attacks. Notably, Pulse Secure, Sonicwall’s Secure Mobile Access, Microsoft Host Integration Server, Mitel Open Integration Gateway, Citrix Netscaler, Sophos XG Firewall, and F5’s Big IP firewall have the maximum number of CVEs linked to ransomware.” (RiskSense Ransomware Report 2021)
In addition, research showed these vulnerabilities being leveraged by known foreign nation-state actors before the government alert:
Cyber Security Works (CSW) previous analysis validated the risk of this threat last year in 2020 when they saw this vulnerability trending in the wild. This month (April 2021), Ivanti along with CISA, FBI and other Security agencies warned users that a Pulse Secure vulnerability was used by China-linked attackers to spy on the US Defense Industry. (CSW)
Is there something different that security and IT and even financial leaders can do to understand and take action against vulnerability risk? RiskSense vulnerability management is focused on open findings against hosts and applications within an organization, prioritized based on current and continuously updated threat-context.
What if prior to purchase, subscription, or renewal, there was consideration for not only the solution capabilities but also the historical and predictive risk from the lens of threat and vulnerability management were available?
The information organizations should seek out especially for critical VPN solutions, should include the following:
- Historical vendor track record on vulnerabilities and patch latency
- Identification for the vulnerabilities with weaponized exploits
- The vulnerability and exploits used by APT groups and Ransomware families
- The underlying coding weakness (CWE) category for the vulnerabilities
RiskSense Vulnerability Knowledge Base (VULN KB) provides weaponization and exploits used by APT and Ransomware for all known CVEs. It also includes details of code weaknesses classification (CWE) and detailed patch information. To help organizations make risk-informed decisions and prioritize vulnerabilities about the future of their VPN solutions we are offering access to our RiskSense vulnerability intelligence.
By reaching out to us we can show you the details of your current or future VPN choice with a full-spectrum risk-based vulnerability management view. Avoid randomly patching and start moving to a strategic vantage that will protect your organization from incidents. Taking advantage of this prior to implementing will give insight into the technology and vendor.