It seems like time and time again, VPN products are the initial access vectors for targeted attacks or ransomware groups. This was – once again – demonstrated in the recent Ivanti Connect Secure zero-day vulnerabilities. According to Veloxity, at least 1,700 devices were compromised in one or more campaigns, one of which was attributed by Mandiant to UNC5221.
Not so long ago, Fortinet published several vulnerabilities, admitting they were used by the Volt Typhoon campaign as the initial compromise vector. According to Microsoft’s analysis, this campaign was active from the middle of 2021, targeting numerous organizations across industries including “communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors."
Cisco also acknowledged that the Akira Ransomware group was targeting their VPNs as the initial access vector. A further analysis by tenable explained how security vulnerabilities enabled attackers to compromise Cisco’s ASA and FTD when their VPN was enabled.
Apart from anecdotes, there is alarming evidence that VPN vulnerabilities can be used for initial compromise. According to Top10VPN, in 2023 alone, 133 VPN vulnerabilities were disclosed and at least 20 are known to have been exploited. Consider that the period from when these vulnerabilities are disclosed to the point they are patched (if at all), poses a major potential security risk for many organizations.;
Given all this, it seems VPNs are no longer Virtual Private Networks, but rather, on occasion, Virtual Public Networks. To understand better why this is happening, let’s consider several of the underlying flaws which are common to most VPN solutions, making them insecure by design.
Your (Virtual) Privates are Showing
Most VPN solutions expose one TCP port at the very least. Depending on the product used and how it’s configured, there could be many other ports accessible over the internet, including IPSec over UDP port, DNS port, remote administration access port, and so on.
This is a problem, as anyone with internet access can collect information about which VPN vendor you are using, which version, which underlying hardware is used, and which CVEs may be used to attack it. Tools such as nmap contains many VPN signatures, and services such as shodan.io can be used to select targets.
Insecure by Default
Configuring a VPN service can be complicated, allowing too much wiggle room for security mistakes. One such mistake was made by Cisco customers who did not configure MFA for their VPN clients. This enables attackers to brute force or buy compromised credentials from shady vendors and use those to get inside the network.
Too Much Trust
According to the relevant reports mentioned above, once VPN access is gained, attackers go to the trusty circle of: discovery -> privilege-escalation -> lateral movement -> repeat. Because VPN subnets are usually considered internal, there is no intermediary device, such as a firewall, separating it from the rest of the network.
The VPN client, or the VPN server for that matter, should not have carte blanche to roam the network freely. On the contrary. Because VPN servers are exposed to the internet, their network access should be tightly controlled. Similarly, clients connecting via VPN should not be treated the same as physical devices connected to the local network.
Zero Networks' Solution: Secure by Design
All of the above design flaws, which exists in many legacy VPN providers (and also in some ZTNA providers), are mitigated by Zero Networks’ secure remote access solution, Zero Networks Connect™️. Zero Networks Connect combines the speed of VPN and the security of ZTNA, eliminating their flaws. It is the only remote access solution on the market that provides zero trust architecture and optimal network performance for the user.
Zero Networks Connect mitigates the aforementioned security issues with innovative and secure architecture. The following features makes Zero Networks Connect the fastest and most secure remote access solution:
- It’s Invisible:
- No port is open to the internet.
- Only pre-approved assets, after passing MFA, can connect to the VPN port.
- Batteries included:
- Your MFA of choice is always used for remote access.
- Uses WireGuard®: widely accepted as the fastest open-source VPN with best-in-class cryptography.
- Zero Trust:
- Each connected VPN user has restricted access, based on their identity.
- The VPN server has limited access.
There is a better way to a true Virtual Private Network for your remote access needs. You can learn more about Zero Networks Connect here. If you’re ready to chat with us about replacing your VPN, reach out today here.