Attackers Heavily Targeting VPN Vulnerabilities


Threat actors like attacking the technology because they provide a convenient entry point to enterprise networks.

Attacks on virtual private networks, like those this week targeting a trio of known vulnerabilities in Pulse Secure appliances, have intensified in recent months along with the increase in remote and hybrid work environments since the outbreak of COVID-19.

The trend requires organizations to patch VPN and other externally facing devices with the highest priority, says a new report from Digital Shadows.

The report, based on an analysis of vulnerability activity in first quarter of 2021, highlights other threats as well, including increased targeting of remote code execution (RCE) vulnerabilities such as one affecting Oracle WebLogic (CVE-2020-14882) and widespread attacks targeting the ProxyLogon flaws in Microsoft Exchange Server.

 

“[VPNs] continue to be targeted by a plethora of threat groups, which will almost certainly continue for the remainder of 2021,” says Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows. “VPN devices, in addition to other remote access software, are often prioritized as a useful entry point that can provide threat groups with a stable foothold onto target networks.”

The threat intelligence firm’s analysis of vulnerability activity in the first quarter of this year shows cyber adversaries are actively targeting VPN vulnerabilities, more so than most other attack avenues, to break into enterprise networks. VPN accesses were among the top three access types listed for sale on cybercriminal forums last quarter, Digital Shadows says.

According to the firm, attackers targeted vulnerabilities in a range of VPN appliances, including one in the Fortinet FortiGate VPN (CVE-2018-13379) and an older, previously patched flaw in Pulse Connect Secure VPN (CVE-2019-11510). Both the Fortinet and Pulse VPN appliances were the subject of a joint advisory last week from the National Security Agency (NSA), FBI, and the Cyber Security & Infrastructure Security Agency (CISA). The advisory warned US organizations of Russia’s Foreign Intelligence Services (SVR) — the actor behind the SolarWinds attack — actively targeting the VPN flaws…

Source…