The US authorities have released new guidance for organizations on hardening their VPNs against compromise by reducing the attack surface.
The Cybersecurity Information Sheet comes from the NSA and Cybersecurity and Infrastructure Security Agency (CISA). It warns that multiple nation-state actors had exploited known vulnerabilities in products over the past year to steal credentials, execute arbitrary code remotely, weaken and hijack encrypted communications, and read sensitive data.
“These effects usually lead to further malicious access through the VPN, resulting in large-scale compromise of the corporate network or identity infrastructure and sometimes of separate services as well,” the agencies claim.
They advise selecting standards-based VPNs from reputable vendors with a proven track record for fixing vulnerabilities quickly and mandating the use of strong authentication credentials.
From there, organizations can further harden the equipment by requiring “only strong, approved cryptographic protocols, algorithms, and authentication credentials.” Further, the VPN attack surface can be reduced by patching promptly, restricting external access by port and protocol, and running only the strictly necessary features.
Finally, organizations were urged to monitor access to and from their VPNs with intrusion prevention (IPS), web application firewalls (WAFs), network segmentation, and remote and local logging for continuous monitoring.
These latest warnings come one the heels of the COVID-19 pandemic during which VPNs used by home workers were heavily targeted by cyber-criminals.
In that sense, in October 2020, researchers warned that various groups were using the Zerologon vulnerability with VPN bugs to compromise victim networks.
Then, in August of the same year, a major British high street retailer was called out for using VPN servers with unpatched critical vulnerabilities, which put it at risk of ransomware and other threats.