The US authorities have released new guidance for organizations on hardening their VPNs against compromise by reducing the attack surface.
The Cybersecurity Information Sheet comes from the NSA and Cybersecurity and Infrastructure Security Agency (CISA).
It warned that multiple nation-state actors had exploited known vulnerabilities in products over the past year to steal credentials, execute arbitrary code remotely on devices, weaken and hijack encrypted communications, and read sensitive data.
“These effects usually lead to further malicious access through the VPN, resulting in large-scale compromise of the corporate network or identity infrastructure and sometimes of separate services as well,” the agencies claimed.
Their advice is to select standards-based (IKE/IPSec) VPNs from reputable vendors with a proven track record for fixing vulnerabilities quickly and mandating the use of strong authentication credentials.
Once the device has been selected, organizations can proactively harden the equipment by requiring “only strong, approved cryptographic protocols, algorithms, and authentication credentials.”
The VPN attack surface can be further reduced by patching promptly, restricting external access by port and protocol, and running only the strictly necessary features, the notice continued.
Finally, organizations were urged to protect and monitor access to and from their VPNs with intrusion prevention (IPS), web application firewalls (WAFs), network segmentation, and remote and local logging for continuous monitoring.
The warnings come after a pandemic in which VPNs used by home workers were heavily targeted by both state-backed and financially motivated cyber-criminals.
In October 2020, researchers warned that various groups were using the Zerologon vulnerability with VPN bugs to compromise victim networks.
In August last year, a major British high street retailer was called out for using VPN servers with unpatched critical vulnerabilities, which put it at risk of ransomware and other threats.