VPN An Oft-Forgotten Attack Vector

  /     /     /  
Publicated : 22/11/2024   Category : security

VPN An Oft-Forgotten Attack Vector


Remote VPN connections are not necessarily as secure as you’d think -- how enterprises can get infected by far-flung users via their SSL VPNs


Just because a user on the road VPNs into his corporate network doesnt necessarily mean hes secure -- or that his corporate network is protected from any badness spreading from his machine.
The virtual private network can give organizations a false sense of security when they assume that the encrypted tunnel is enough to lock down the communication between a traveling user and the home network. And VPNs increasingly have become an overlooked attack platform, especially in targeted attacks, security experts say.
In 55 percent of the breaches investigated by Trustwave SpiderLabs this year, the attackers got in via a VPN or remote access connection. The encrypted tunnel to the corporate network secures the traffic going back and forth from the user and the company servers and resources, but it can also carry malware from the user to the enterprise via that connection, and attackers can grab a users VPN credentials to make themselves at home in the corporate network as well.
Thats because many organizations still use static usernames and passwords for VPN users rather than two-factor authentication, and many dont have user access policies in place and enforced, either.
A VPN is designed to encrypt and tunnel traffic to enable a user to have a network connection back to their [enterprise] network or data center. In an SSL or any VPN, interception of that traffic is not likely to happen, says Nicholas Percoco, senior vice president at Trustwave and head of Trustwave SpiderLabs.
[ Assuming your VPN equals secure remote access can backfire, as can other common mistakes. See
Six Deadly Security Blunders Businesses Make
.]
But at the point when an end user joins a guest network, such as an airport WiFi or hotel wired network -- prior to setting up a VPN connection -- his machine can be exposed. A lot of organizations still issue VPN credentials to their end users with static usernames and passwords. Thats the way we saw a lot of breaches that have occurred [via the VPN], Percoco says. The credentials get intercepted by a piece of malware on their computer, like a keylogger.
Another mode of attack Trustwave has seen is via a third party that has been given VPN credentials to an organizations network. One company that outsourced its PBX to a third party had given the firm a VPN account to perform maintenance on the PBX systems, and that account was abused, Percoco says. But the company hadnt checked its VPN logs: If it had, it would have noticed that the third-party vendors VPN account had been active 24/7 for three to four weeks, he says. They would have noticed something else was going on, Percoco says.
Nimmy Reichenberg, vice president of marketing and business development for AlgoSec, says organizations often mistakenly assume their VPN traffic is as secure as traffic on their internal networks. In a nutshell, thats a mistake, he says. When a typical user is on a VPN from a remote [site], home office, or on the road, they may not have [proper] security controls in place.
The VPN is just another flavor of an endpoint breach, says Rainer Enders, CTO of NCP engineering. The paradigm shift going on is moving away from securing the perimeter. SSL is just a tunnel, and the same is true for IPsec. Its just a pipe, so you need to have additional security measures and components, Enders says.
In the case earlier this year of a disgruntled Gucci network engineer who had been fired, then
created a phony employee account and went on a sabotage spree
, deleting virtual servers, taking a storage area network offline, and deleting mailboxes from the corporate email server, two-factor authentication would have stopped it, he says.
If they had a token or something else that had to be turned in when you were terminated, it would have protected the network, Enders says.
The dangers of unsecured WiFi networks are legendary, but many travelers still use them if they have a VPN client. The risk, of course, is that a users WiFi connection will be intercepted via an attacker on the network who executes a man-in-the-middle attack.
And on a wired network, such as a hotel LAN, an attacker can ARP [Address Resolution Protocol]-spoof, says Trustwaves Percoco. The attacker can announce on the wire that he is now the default gateway to the Internet and perform a man-in-the middle attack, he says. The user wont likely notice anything, he says.
If VPN credentials are sent in the clear, the attacker can sniff it and record it. If its SSL-encrypted, he can try to throw up rogue certificates to try to intercept that [connection], he says. Attackers typically save those stolen credentials and monetize or sell them, for example.
Look for these attacks to continue: Percoco is currently working on Trustwaves next security report, and he says these remote access attacks are going to look very similar.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
VPN An Oft-Forgotten Attack Vector