4 min read

Virtual Private Networks (VPNs) are a major piece of internet infrastructure holding together the work-from-home workforce right now. VPNs are responsible for encrypting web traffic, keeping data safe, and protecting privacy.

Description

With most employees working from home amid COVID-19 (coronavirus) outbreak, VPN servers have now become paramount to a company's backbone, and their security and availability must be the focus going forward for IT teams. It is now more important than ever that companies and IT staff set up systems to capture metrics about the performance and availability of VPN services.

Affected Systems

CISA (Cybersecurity and Infrastructure Security Agency) has issued an advisory for all VPN servers and client software.

Recommendations

Here are some tips for securing company resources in remote working:

  • Enable MFA for VPN Accounts: Companies should enable Multi-Factor Authentication (MFA) solutions to protect VPN accounts from unauthorized access.
  • Patch and update VPN Servers: Companies should review the patch levels as corporate VPN solutions have become the target of widespread attacks since the summer of 2019.
  • Deter a DDoS (distributed denial of service) attack on VPNs: A hacker can launch a DDoS (distributed denial of service) attack on a VPN service and exhaust its resources, thereby crashing the VPN server and limiting its availability.
  • Stay vigilant regarding expected COVID-19 phishing scams: avoid social engineering and phishing attacks during these uncertain times when employees are distracted and may be prone to click on untrusted sources for news updates.

Enable Multi-Factor Authentication for VPN accounts

In the light of an expected increase in VPN phishing attacks, companies should look very closely at enabling a multi-factor authentication (MFA) solution to protect VPN accounts from unauthorized access. In a report last year, Microsoft said that enabling a MFA solution for online accounts usually blocks 99.9% of all account takeover (ATO) attacks, even if the attacker has valid credentials for the victim's account.

VPN servers must be patched and updated

In addition to enabling MFA to protect VPN accounts for employees working from home, organizations should review the patching levels of corporate VPN products.

Previous attacks have targeted VPN servers from vendors such as Palo Alto Networks, Fortinet, Pulse Secure, and Citrix. Patches should be applied, and advisories should be followed, for critical vulnerabilities mentioned below:

With more and more companies needing VPN capabilities to allow workers to log into private corporate systems and do their duties, IT staff are responding by putting up more VPN servers to deal with the surging traffic. IT staff now need to pay close attention to the new VPN servers they are putting up and make sure these systems have been patched for the vulnerabilities listed above, which are some of the most targeted vulnerabilities today.

The danger of DDoS attacks on VPN servers

With so many organizations moving their employee workforce to work-from-home roles, there is now a new threat on the horizon -- extortions. Hackers could launch DDoS attacks on VPN services and exhaust their resources, crashing the VPN server and limiting its availability for mission-critical operations.

With the VPN server acting as a gateway to a company's internal network, this would prevent all remote employees from doing their jobs, effectively crippling an organization that has little to no workers on-site. Furthermore, SSL-based VPNs (like Pulse Secure, Fortinet, Palo Alto Networks, and others) are also vulnerable to an SSL Flood (DDoS) attack, just like web servers.

Social Engineering and phishing attacks are common tactics for hackers

The rapid introduction of work-from-home accelerates risk from adversaries. Remind employees to stay aware of potential phishing attempts, and if in doubt, don’t open or click on unknown or suspicious emails. People are sometimes the weakest link that malicious actors target in their stealthy attempts to inflict damage or steal sensitive data.

Netsurion EventTracker SOC Actions

The EventTracker SOC is monitoring VPN reports diligently to identify irregular VPN usage patterns, making it easier to alert on infected accounts. We will promptly notify you of any suspicious activity.

Conclusion

With the increased use of remote work, organizations should ensure that their VPN solution is monitored, patched, and closely managed to protect against active exploits. Expect phishing emails and social engineering attempts related to COVID-19 to continue, especially against high-value targets like sys admins in order to steal credentials. Please don’t hesitate to contact Netsurion or your customer success manager with any questions or to discussion something suspicious.

Resources

CISA Alert on VPN Security  https://www.us-cert.gov/ncas/alerts/aa20-073a
CISA Alert on Avoiding Social Engineering and Phishing Attacks https://www.us-cert.gov/ncas/tips/ST04-014  
NIST’s Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions
https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2020-03.pdf