How Threat Actors Are Using Corporate VPN Credentials to Attack Your Organization
Photo: Unsplash
Executive Summary
Recent events have shown us that hackers use your ability to access your corporate network remotely against you. As we move forward, working remotely will only become more common. Cyber-attacks are rising, so companies must take steps to secure their networks. While one will never stop all attacks, throwing up many roadblocks helps deter most attackers. Unfortunately, time is money to criminals as much as legitimate businesses.
This report discusses standard methodologies hackers employ to gain access to corporate networks, including exploitation and Social Engineering (SE). We will also cover recently exploited vulnerabilities in popular corporate Virtual Private Network (VPN) services. Lastly, we will present our findings on which corporate VPN services may be bigger targets than others.
Risk Mitigation Techniques
Implement strong passwords and do not share them.
Keep all VPN software/hardware patched and updated.
Properly configure IKEv2/IPsec rules.
Limit group permissions to only those that need them, particularly in Active Directory.
Closely or severely limit Remote Desktop Protocol (RDP) use.
Implement an Operational Security OPSEC training program with a focus on SE.
Implement a stateful or stateless firewall depending on what works best for your company.
Note: larger businesses can benefit more from a stateful firewall
Implement both in and out-of-band multi-factor authentication and a Public Key Infrastructure (PKI).
Maintain a test server for patches and updates. This practice will ensure that new patches do not cause harm to your current network configuration.
Follow procedures outlined in NIST SP 800-207 for zero-trust architecture.
Why VPNs?
No matter the reason, remote jobs and telework are here to stay. Large and small companies have used VPNs, allowing their employees to connect remotely to a company's internal server. VPNs also add another layer of protection by encrypting traffic end-to-end, adding another safety measure for corporate traffic. However, with added convenience comes calculated risk.
While VPNs are a fantastic technology that provides a measure of security and a significant degree of convenience, they are by no means infallible. Public-facing protocols typically have exploitable security flaws that attackers will use to access a system. In addition, internal network configurations also maintain vulnerabilities that would allow attackers to escalate their privileges and potentially give them unfettered access to your internal network.
Since increasing numbers of companies require remote connectivity for their employees, each employee becomes a weakness attackers can exploit. A network may be patched, updated, and hardened to remote exploitation, but human vulnerability still exists. Since an employee with remote access through a VPN can connect to an internal network, all an attacker needs to do, is harvest their credentials to masquerade as that employee and move about unnoticed.
Understanding the Motivation
Historical data shows that the end state of cyberattacks follows a pattern tied to a specific country; for example, Russian hacker groups are financially motivated, with most attacks centered around Ransomware for profit. Ransomware is incredibly lucrative, and the Russian government has stated that it will not attempt to prosecute any group so long as it does not attack state interests. State-sponsored attacks mostly center around breaches of government databases or misinformation campaigns.
Hacker groups from China are predominantly state-sponsored, and most attacks center around intellectual property theft or breaching government systems for political gain. Most attacks coming from China are against targets located in Southeast Asia, but there have been many recorded attacks against technology-based companies within the United States.
Iranian hacker groups are state-sponsored actors seeking to conduct anti-western messaging or obtain sensitive information from other governments. Recently, we have seen a rise in non-state-sponsored attacks for financial gain. In recent news, CISA and FBI have noted that non-state attacks were against "a broad range of victims across multiple US critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations."
In the case of ransomware, recent trends in cyber-attacks show that the likelihood of an attack is directly proportional to the company’s profitability. When protecting your infrastructure, it is best to go with a layered approach involving multiple deterrence methods. There is no way to guarantee that your organization will be saved, but thoughtful security practices can make you less of a target.
Operational Security (OPSEC) is the best approach when it comes to protecting intellectual property. Keeping news of any critical developments as quiet as possible, compartmentalizing information to those who need to know, and calculating risk should all be standard practices. In addition, providing OPSEC training to your employees will make them more vigilant of potential Social Engineering campaigns and make your company less vulnerable.
While threat actors’ motivations may differ, many techniques used to access a network remain the same. We will discuss some of these techniques below.
Examples of Standard Tactics, Techniques, and Procedures (TTPs):
Reconnaissance
Collect publicly available information about the target
IP addresses
Email addresses
Employee Names
Software products used
Business partnerships with other companies
Scan and Enumerate
Scan public-facing websites linked to the intended victim.
Enumerate the network and create a network map.
Survey device types, current versions, open ports, and protocols.
Assess Vulnerabilities
Check for outdated software.
Scan for unencrypted credentials and harvest if possible.
Determine vulnerability to publicly available exploits.
If none are viable options or are time-consuming, use SE tactics.
Gain Access
Use credentials to gain access to an internal network.
Assess user privilege level.
If an attacker has Admin, Root, or System privilege, continue with exploitation.
If the attacker only has user-level privilege, conduct reconnaissance of the current system to escalate privileges to Admin, Root, or System.
Use native commands to enumerate the internal network further and assess additional vulnerabilities.
Move Laterally
Attempt to move to different devices within a network and maintain and establish as many points of persistence as possible.
Maintain Access
Install backdoors.
Attempt to establish persistence, meaning whatever access method you use will survive a reboot.
If an attacker has escalated their privileges in most networks, the victim cannot do much to stop them from launching an attack. Most of the time, unless a blue team is employed, the likelihood of detecting malicious activity as it is happening is slim. In the case of Ransomware, crypto-locking files over an extensive network will take a matter of minutes. In the case of a double extortion attack, once the files are crypto-locked, there is already an established connection to an exfiltration server. The adage "an ounce of prevention is worth a pound of cure" rings true here.
Initial Access Vectors for Credential Harvesting
Social Engineering (cybersecurity): The use of social methods applied to obtain personal or confidential information for illicit use.
Social Engineering is the most common method hackers use to access a secure network. Software developers and technology companies work hard to ensure that their products are safe for use and do not have many security flaws. However, better code can't always fix the human element. While every piece of software may have security flaws, gaining initial access through product exploitation can be challenging. It can require skill and much technical knowledge. The risks can also be reasonably high. On the other hand, Social Engineering relies on the human element, which is prone to making mistakes. In most cases, the risk to the attacker is low.
Phishing: The practice of tricking internet users, typically through deceptive emails, websites, or messages, into revealing personal or confidential information that attackers can use to further their goals.
Phishing through email is the most common method of credential harvesting attack. With some research, an attacker can easily spoof a company's email domain or obtain a domain address like that of the target company. Then, if the attacker is convincing enough in their message, they will need the victim to click a link, open a document, execute a program to gain access to a system or collect the victim's credentials.
Common Phishing types:
Fake resumes sent in Rich Text Format (.rtf) to HR
Mixing legitimate links with malicious links to bypass scanners
URL shorteners combined with redirection
Smishing: Sending Phishing attacks through SMS directly to a user's mobile device.
The attacker will send an SMS directly to your mobile device to mimic a service you may trust, such as Amazon, or USPS. Clicking the link alone could compromise your machine or redirect you to a legitimate-looking page that asks you to input your login credentials. Once you enter credentials, you will receive an error, but the attacker now has access to your credentials.
Vishing: The practice of conducting Phishing through Voice, i.e., phone calls.
Vishing requires a degree of finesse, but the risk for the attacker is low, and the payoff is incredibly high. With modern technology, it is effortless to spoof a phone number so that to the victim, it looks like the call is coming from a location they know and trust.
Vishing is dangerous because while your personal information may be the target, an attacker might target a third-party privy to your information. For instance, Vishers have been known to contact credit card companies, phone companies, and other service providers with your data. They can convince the person on the other line to give them access to your account information.
Credential Stuffing: A cyber-attack is described as using large lists of previously compromised credentials to attempt to log into a victim’s network.
Credential Stuffing differs from a Brute Force attack (password guessing) in that credential stuffing uses a mixture of bots or scripts and massive password lists gathered from previous data breaches, “rockyou.txt” being the most known.
Protocol Exploitation: A cyber-attack in which an attacker uses known software/protocol vulnerabilities to gain access or attempts to misuse a system with criminal intent.
When most people think of hackers breaching a system, the idea of a knowledgeable, technically skilled individual or group comes to mind. However, most hacks into corporate networks begin with compromised credentials.
Commonly Used Firewalls/VPNs
Fortinet: Fortiguard/Fortigate
Breaches of note:
Colonial Pipeline (May 2021): exploited credentials via rockyou2021.[txt]
27 states’ attorney's offices (May-Dec 2020): exploitation of unpatched VPN
Bangkok Airways (Aug 2021): exploitation of unpatched VPN
498,000 Fortinet VPN Credentials stolen & distributed (Sep 2021): exploitation of unpatched VPNs
Associated CVEs:
CVE-2021-22128
CVE-2020-12812
CVE-2019-5588
CVE-2019-5586
CVE-2019-17655
CVE-2018-13379
The above information on Fortinet's VPN service only represents a sample of data taken between January 2018 and January 2021 and should not be considered all-inclusive. However, Fortinet was by far the least patched and the most exploited in most VPN attacks. At this time, it is unknown whether attackers used a combination of Fortinet-related CVEs to achieve their goals.
Threat Landscape:
Analysis shows that 3,062 public-facing large network devices are currently using Fortigate SSL-VPNs worldwide. Of those, 1,335 are within the United States. 166 large companies own and operate these devices. Furthermore, 68% of these SSL-VPNs provide large-scale technology and telecommunication infrastructure services, which businesses and consumers use. Therefore, any attack against these systems would impose a high cost on businesses and consumers. Further breakdown of SSL-VPN use by industry is below.
Consumer: 6.6%
Energy, Resources & Industrials: 2.4%
Mining & Metals: 0.6%
Financial Services: 1.8%
Government & Public Services: 15.6%
Life Sciences & Health care: 3.0%
Technology, Media & Telecommunications: 69.8%
Ivanti: Pulse Connect Secure
Breaches of note:
Solar Winds (Dec 2020): Exploitation of unpatched VPN
Travelex (Dec 2019): exploitation of VPN configuration
Various attacks against US Defense Industrial Base (Apr 2021)
Associated CVEs:
CVE-2021-22893
CVE-2019-11540
Likely discovered by Chinese hacking groups, CVE-2021-22893 is a heavily exploited zero-day. It allows an unauthenticated attacker to execute arbitrary malicious code and gain administrative access to the VPN. Pulse Secure issued an out-of-band patch for this vulnerability and others on 3 May 2021, but many clients still need to update their systems.
Threat Landscape:
Analysis shows that 23,750 public-facing large network devices are currently using Pulse-Secure SSL-VPNs worldwide. Of those, 6,552 are within the United States. 1,000 large companies make use of these services. The use of Pulse Secure SSL-VPN services looks to be more widespread than with other products, which is likely due to lower cost-per-person and a lower technical bar for entry. Additionally, a significant amount is part of the 2021 Fortune 500. Many of the other companies net more than $5 Million each year. While most companies surveyed were still within the Media, Technology, and Telecommunications sector, many were in the Financial and Healthcare sectors, increasingly becoming the target of cyberattacks. Further breakdown of Pulse-Secure SSL-VPN use by industry is below.
Consumer: 19.2%
Energy, Resources & Industrials: 3.9%
Mining & Metals: 0.6%
Financial Services: 12.8%
Government & Public Services: 16.4%
Life Sciences & Health care: 8.8%
Technology, Media & Telecommunications: 38.3%
Barracuda Networks
Breaches of note:
Barracuda Networks (2011): SQL injection
Associated CVEs:
CVE-2021-42711
CVE-2019-6724
CVE-2019-5648
Research into Barracuda networks has uncovered no significant attacks on their software or VPN services since 2011. Barracuda Networks touts the use of a zero-trust architecture for remote user access. Several large companies, such as Hammersmith Medical Research (UK), have switched to using Barracuda Networks services since being hit with ransomware attacks in 2021.
Threat Landscape:
Analysis shows that there are currently 2,383 public-facing large network devices using Barracuda Networks SSL-VPNs & Next Gen Firewall worldwide. Of those, 1,111 are within the United States. Approximately 280 companies within the Fortune 500 make use of these services. As expected, most usage comes from the Technology, Media, and Telecommunications industries. Further breakdown of Barracuda Networks SSL-VPN use by industry is below.
Consumer: 14.6%
Energy, Resources & Industrials: 2.5%
Mining & Metals: 0.7%
Financial Services: 3.2%
Government & Public Services: 8.9%
Life Sciences & Health care: 3.5%
Technology, Media & Telecommunications: 66.4%
Palo Alto Networks (PAN) Global Protect
Associated CVEs:
CVE-2021-3064
CVE-2021-3063
CVE-2021-3060
CVE-2017-15944
Research into PAN's Global Protect VPN service has not uncovered any known major data breaches. However, one should note that CVE-2021-3064 is a zero-day in PAN's firewall that can allow a hacker to perform a remote code execution attack. The CVE was published on 11 Nov 2021 and affects PAN-OS 8.1.17 and earlier. Global Protect also claims a zero-trust security model and supports BYOD (bring-your-own-device).
Threat Landscape:
Analysis shows that there are currently 16,927 public-facing large network devices using Palo Alto Networks – Global Protect SSL-VPNs & Next Gen Firewall worldwide. Of those, 6,537 are within the United States. Approximately 875 companies within the Fortune 500 make use of these services. As expected, most usage comes from the Technology, Media, and Telecommunications industries. Further breakdown of Barracuda Networks SSL-VPN use by industry is below.
Consumer: 14.6%
Energy, Resources & Industrials: 2.5%
Mining & Metals: 0.7%
Financial Services: 3.2%
Government & Public Services: 8.9%
Life Sciences & Health care: 3.5%
Technology, Media & Telecommunications: 66.4%
Additional VPN Attacks of Significance
Korean Atomic Energy Research Institute (June 2021): North Korean actors used an unpatched VPN service flaw to gain access and install a backdoor.
JBS USA (May 2021): Ransomware group REvil exploited credentials through brute force/stuffing coupled with RDP.
Hillel Yaffe Medical Center (Israel, Mar 2021): Israeli security firm, Check Point reported that an unknown attacker used flaws in outdated email servers and VPNs to conduct a disruptive ransomware attack. The attack looks to have originated as a Phishing email. The attacker was able to access user credentials and then perpetuate the activity.