When ransomware strikes, the first question every security team asks themselves is how the attackers got inside what was supposed to be a well-defended network.
These days, the question is asked within minutes of the attack being discovered, and for good reason. Without understanding the weakness that led to an attack, resolving it is a mission impossible.
Compromised credentials are usually involved somewhere along the line, but which ones? As multi-factor authentication (MFA) is applied to more and more user credentials, evidence suggests that attackers increasingly look to less documented connections that have slipped through this net such as VPNs.
But let’s start with the good news – thanks to insurers we are getting to see the problem in all its ugly glory. In the past, all the data on vulnerabilities was in the hands of vendors, which is perhaps why in some cases, the ugly truth wasn’t always spelled out.
For example, according to a recent report by Corvus Insurance, 28.7% of claims in Q3 2024 were traced to weak VPN security, a surge from only 4.8% in the previous quarter. A common problem was a lack of multi-factor authentication (MFA) on these connections but vulnerabilities in the VPN gateways were another issue.
The report doesn’t mention it but an example of the latter is CVE-2024-40766, a CVSS 9.3-rated flaw affecting SonicWall VPN hardware which security company Arctic Wolf has noticed is under active exploitation by at least two ransomware groups in recent weeks.
And it’s not just VPNs from one company – any popular VPN gateway can be a risk. Around the time of the SonicWall report, Cisco patched CVE-2024-20481, a vulnerability dating back to April 2024 when large-scale brute forcing attacks were launched against its VPN and SSH gateways.
Another insurer, At-Bay, has even gone as far as to state that it believes that VPNs have recently replaced notoriously weak spots such as remote desktop protocol (RDP) as the ransomware vector of choice. Given how disastrous RDP is supposed to be, that should cause admins to take note.
What is going on?
While VPN compromise is not new, what has changed is the number available to target at a time of increased remote working. Another factor is that credentials for remote access technologies such as RDP are being better secured with MFA, which forces attackers to look elsewhere.
However, an interesting theme from insurer data is the issue of on-premise VPNs, which remain popular because they are cheaper to run than managed cloud VPNs assuming you’ve already invested in the hardware.
“Our data shows that businesses that use self- managed VPNs, implemented on-premises and maintained by in-house IT teams, are associated with a considerably higher risk of a security incident than businesses that don’t use self-managed VPNs,” noted At-Bay’s report.
“Self-managed” includes Citrix SSL connections not protected by MFA, the weakness that led to the huge Change Healthcare ransomware attack from earlier this year.
VPN, strength or weakness?
The irony of all this is that VPNs are regularly cited as a security technology. But according to another security company, Specops, 2,151,523 VPN passwords were compromised by malware over the previous 12 months, each one providing fuel for new attacks.
“If VPN passwords are becoming compromised, these great cybersecurity benefits [of VPNs] can be undone and actually offer a route into your organization for attackers,” said senior product manager, Darren James, hitting the nail perfectly on the head.
And it doesn’t require much sophistication; VPNs are everywhere, their weaknesses easily discovered, and the patching of on-premise gateways remains too slow. Not for the first time, attackers turn a technology designed to improve security on its head.
