Sunday 18 July 2021

Working from home – is VPN safe anymore?


The pandemic struck and most of those people who usually worked from an office started working from home. Even mainframers were working on a laptop from home. The IT team needed a speedy way to get these people securely working from home and VPN became a three-letter acronym known to millions of people. Users were happy, they could work from home. Management were happy because their employees could work remotely. And hackers were happy because they could now pretty much gain access to every organization that they wanted!

For some people, the idea that virtual private networks (VPNs) aren’t secure must come as a shock, but anyone looking at the news this year will realize that VPN security has been a problem.

Before we look at what’s been in the news, let’s quickly remind ourselves what VPN is meant to do and how it works.

While everyone was safely inside their corporate offices working, they could access data and applications safely. However, once they were working remotely, they really needed a dedicated cable running from their laptop to the company network. This would be a private network just for them, and this would keep safe all the information passing backwards and forwards. However, this was never going to happen. So, users connected from home to office over the Internet. And in order to keep the packets of information safe, they used a virtual private network. In effect, there’s a virtual tunnel through the Internet from one end to the other. It keeps the information secure, and the activity anonymous. Sounds like the problem’s solved, doesn’t it?

Capcom, the video games developer in Japan, was hacked in November last year. It appears that Capcom’s US subsidiary retained an older VPN service as a backup, and this was used by the hackers to get into North American and Japanese networks, where they knocked out email and file servers. Apart from a ransomware demand, 390,000 individuals may have had their data compromised.

Zyxel has recently warned customers that its devices are being attacked, including security appliances having remote management or SSL VPN enabled, namely in the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware. Once hackers can access the device, they can connect to previously unknown accounts hardwired into the devices.

Worryingly, we hear that what's thought to be a North Korean hacking group has got into South Korea’s atomic research agency. Hackers breached the Korea Atomic Energy Research Institute (KAERI) network on 14 May using a VPN system vulnerability.

LimeVPN, VPN provider, has been hacked and 69,000 users have had their personal information stolen. A backup server was hacked that included a database of the details of all of LimeVPN's customers. The hackers claim to now possess the private key of every user, which means their data could be decrypted.

In the first quarter of this year, there was a 1,916% increase in attacks against Fortinet’s SSL-VPN. This was probably due to three different problems with the Fortinet FortiOS, Firstly, it seems that unauthenticated hackers could use specific HTTP resource requests on the SSL VPN web portal, which allowed them to download system files. Secondly, unauthenticated attackers on the same subnet could impersonate an LDAP server and intercept information. Thirdly, simply by changing the case of their username, hackers could successfully log in without being prompted for a second authentication factor. Clearly, anyone using Fortinet devices could be hacked, giving bad actors access to their network. The company has released patches to fix the vulnerabilities.

Also, in the first quarter of the year it’s been revealed that there has been a 1,527% increase in attacks on Pulse Connect Secure VPNs. In fact, in April the Metropolitan Transportation Authority (MTA) in New York revealed it was breached by hackers linked to the Chinese government. The Metropolitan Water District of Southern California and communications company, Verizon, were also targeted. It seems there was a zero-day vulnerability in Pulse Connect Secure VPN, which has now been patched.

Another attack using VPN was on Colonial Pipeline, which operates a pipeline from Texas to New Jersey and provides around 45 percent of the USA’s East Coast’s oil supplies. In this attack, hackers used an old VPN account that still provided access to the network. All they needed was a username and a password. The recommendation is that everyone uses multi-factor authentication when users login. And, all old accounts are removed, so they can’t be used to gain access to the network.

The problem is so serious that Help Net Security ran a headline in June saying, “VPN attacks up nearly 2000% as companies embrace a hybrid workplace”. Adding to everyone’s concern is the fact that US and British authorities have issued a joint advisory notice saying that Unit 26165, part of Russia's military spy agency, had been using VPNs and Tor to conduct "widespread, distributed, and anonymised brute force access attempts against hundreds of government and private sector targets". These include government offices, political parties, energy companies, law firms, and media organizations.

It makes sense now for every organization using VPN for their working-from-anywhere employees – and that includes companies that also have a mainframe – review the security of their VPN setup, and replace products where necessary or patch everything to the latest version. It might be a good idea to look at zero trust networks to keep checking that users are authorized and only doing what they’re authorized to do. And keep an ear to the ground for any news of VPN hacks and quickly respond. With nation states now using hacking teams in addition to criminal gangs, no-one is completely safe.

No comments: