[BreachExchange] NSA, CISA share VPN security tips to defend against hackers

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Wed Sep 29 08:57:00 EDT 2021


https://www.bleepingcomputer.com/news/security/nsa-cisa-share-vpn-security-tips-to-defend-against-hackers-edited/

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the
National Security Agency (NSA) have released guidance for hardening the
security of virtual private network (VPN) solutions.

The two agencies created the document to help organizations improve their
defenses particularly against attacks from nation-state adversaries, who in
the past have exploited bugs in VPN systems to “steal credentials, remotely
execute code, weaken encrypted traffic’s cryptography, hijack encrypted
traffic sessions, and read sensitive data from the device.”

“Multiple nation-state advanced persistent threat (APT) actors have
weaponized common vulnerabilities and exposures (CVEs) to gain access to
vulnerable VPN devices,” the U.S. National Security Agency

The document provides direction for selecting VPN solutions that follow the
industry standards and the best practices for using strong authentication
credentials.

Organizations should also choose products from reputable vendors with a
history of acting quickly to patch known vulnerabilities.

As general rules for hardening the VPN, the two agencies recommend reducing
the server’s attack surface by:

   - Configuring strong cryptography and authentication
   - Running on strictly necessary features
   - Protecting and monitoring access to and from the VPN

“Exploiting remote access VPNs can become a gateway to large-scale
compromise,” said Rob Joyce, Director of Cybersecurity at NSA in an email
to BleepingComputer

Releasing this document comes after threat actors, both financially
motivated and state-supported, have focused lately on exploiting VPN
vulnerabilities to achieve their goal.

The attack vector has attracted government-backed hackers, who leveraged
vulnerabilities in VPN devices to penetrate networks belonging to
governmental organizations and defense firms in various countries.

Earlier this year in April, cybersecurity company FireEye published a
report about two state-backed groups, likely Chinese, that used a zero-day
vulnerability in the Pulse Connect Secure (PCS) VPN appliance in attacks
focused on U.S. defense industrial base (DIB) networks.

Around the same time, the NSA and CISA warned that hackers working for the
Russian Foreign Intelligence Service (SVR) and known as APT29, Cozy Bear,
and The Dukes had exploited and continued to exploit successfully bugs in
Fortinet and Pulse Secure VPN devices for initial access onto a target
network.

An advisory from the U.K. National Cyber Security Centre (NCSC) in May
added appliances from Cisco and other network gear vendors to the list of
products with vulnerabilities that SVR hackers exploited.

Ransomware gangs have also shown a massive interest in this type of network
access vector. At least seven operations have exploited bugs in VPN
solutions from Fortinet, Ivanti (Pulse), and SonicWall.

Cring, Ragnar Locker, Black Kingdom, HelloKitty, LockBit, REvil, or Conti
ransomware operations have breached dozens of companies by exploiting VPN
security issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210929/97dbc760/attachment.html>


More information about the BreachExchange mailing list