Conventional wisdom says that initial access is often a phishing attack, and that is often the case, but there is a growing trend where compromise of the remote access device is the initial point of compromise.
This trend emerged following the most interesting security conference talk I saw at Black Hat USA in 2019: Attacking the intranet like NSA. The presentation detailed techniques that allowed for the compromise of many of the world’s leading remote access solutions.
The presenters said they were inspired by the Shadow Broker leaks of techniques used by the Equation group, highlighting a focus on VPN’s as a devastating point of initial compromise. As the presentation and subsequent attacks highlighted; remote access VPNs are often highly trusted devices. Once compromised, adversaries often find themselves with access to all sorts of sensitive applications and data.
The talk focused on compromising several leading Remote Access VPN vendors, with a consistent use of the web front end of the VPN as the vulnerable attack surface.
After the presentation at Black Hat, there have been several adversaries leveraging remote access VPN vulnerabilities as the initial point of entry into corporate networks. What’s interesting is the diversity of adversaries who have targeted a diverse set of victims. The attacker profile covers well-funded nation states, all the way to opportunistic ransomware crews.
Nation State Attackers:
As the Black Hat presentation highlighted, Cheng-Da Tsai (aka: Orange Tsai) took inspiration in their decision to target VPNs from the NSA. Not surprisingly, following this talk, the NSA and National Counterintelligence and Security Center (NCSC) warned that these vulnerabilities, which were present across hundreds or thousands of organizations, were actively being exploited by nation state actors.
Industrial Control Systems:
Dragos’ recent analysis of attacks directed at ICS systems highlights the PARASITE actor’s exploitation of vulnerable VPNs as the preferred method of gaining initial access. This actor focuses on utilities, aerospace, as well as oil and gas operations in North America, Europe, and the Middle East. This actor is assumed to be a nation state.
Financial Fraudsters:
In late 2019, Phineas Phisher published a manifesto entitled “how to rob a bank.” It described how initial access was gained by exploiting vulnerabilities in the VPN, a favorite technique used by this famous attacker in other attacks as well. It is a fascinating story. After gaining access to the corporate network on the trusted side of the VPN, it navigated the network successfully enough to craft fraudulent SWIFT transfers.
Ransomware:
Conventional wisdom holds that attackers focused on monetizing attacks via ransomware are looking for opportunistic victim selection. That may be less true than it used to be, but it is likely that ransomware crews are looking for relatively low effort, highly repeatable methods of compromise.
For that reason, it is interesting that ransomware crews appear to have joined the other classes of adversaries in using vulnerable VPN endpoints as their method for initial compromise. If ransomware crews are compromising vulnerable VPN endpoints, that is an indication that it is seemingly a fairly repeatable and available technique.
So what?
It isn’t particularly interesting that vendors, even security vendors, have high severity vulnerabilities. Any organization that writes code will inevitably encounter vulnerabilities, some of which will be high severity. Nor is it interesting that enterprises have been slow to patch these vulnerabilities. Sadly, that is a well understood problem.
What is interesting is the nature of the vulnerabilities. As the Black Hat presentation underscored, these attacks are often web application attacks abusing the web frontend that has been extended from VPNs.
VPNs have really been workhorses providing access to a diverse set of applications that enterprises have built over decades. Things really got interesting as the VPN was asked to adapt to modern applications, which are overwhelmingly web-based and presented via a browser. To accommodate this dominant usage pattern, VPNs built-in more and more web functionality, ultimately leading to a juicy attack surface for an attacker looking to attempt OWASP-style attacks.
I think the way attackers have zeroed in on the web attack surface in traditional remote access solutions is the most interesting takeaway from all these attacks. Enterprises need to consider the web server functionality of these remote access solutions as part of their critical web app attack surface, and defend it accordingly.
The good news is that new SaaS-based remote access solutions are emerging that provide embedded web app security capabilities. Gartner calls these new solutions the Zero Trust Network Access and they have some bold predictions about how rapidly these solutions will replace legacy Remote Access VPNs. Forrester is forecasting very similar trends with what they call the Zero Trust eXtended solution set, while Ovum refers to these solutions as Zero Trust Access.
It will be interesting to see if the adoption trends follow the forecasts of the analysts, which all seem to be moving in the same direction. Even more interesting will be to observe if this offers effective protection against the string of attacks we have witnessed over the past several quarters.