Attacks against virtual private networks (VPNs) and their products have seen a staggering increase in the first quarter of this year as malicious actors exploit previously known vulnerabilities, according to a new report.
In its most recent Threat Landscape Report, managed security services company Nuspire, revealed the 1,916% increase in attacks against Fortinet’s SSL-VPN. It also identified the 1,527% spike in Pulse Connection Secure VPN. Based on the log data the security company collected, malicious actors tried to exploit Fortinet’s path traversal vulnerability in the technology otherwise known as the CVE-2018-13379.
This vulnerability allows unauthenticated attackers to download files. Meanwhile, Pulse Connect Secure VPNs attacks are due to threat actors exploiting the CVE-2019-11510 vulnerability. Both companies already rolled out patches for the said flaws in their products following warnings from security analysts and experts about high adversary interest in the vulnerabilities.
In April, the FBI, NSA, along with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, discovered that Russia’s Foreign Intelligence Service (SVR) is the culprit behind the Fortinet and Pulse Secure VPN flaws attacks in the U.S. and its other allied networks. Nuspire director of threat intelligence and rapid response Jerry Nguyen revealed the reason for the massive increase in activity targeting VPN devices in the first quarter of this year.
According to him, the spike in VPN attacks has to do with organizations not patching known vulnerabilities despite repeated warnings in the past. “The US CIRT released a number of reminder alerts that attackers were looking at these VPNs and people should patch,” Nguyen said. “The biggest thing we are seeing with VPNs [is that] everyone is looking at the endpoint and not the perimeter when they need to look at both,” he added.
Intelligence sharing platform Digital Shadows echoed the same sentiment about increased attacker interest in VPNs, particularly right after the COVID-19 outbreak and following the shift to a hybrid type of work environment in a report last April. The report also pointed out that compromised VPN appliances offer broad access to malicious actors.
Nuspire has also identified that remote working is one of the main reasons for the surge in VPN attacks. According to Nuspire chief security officer J.R. Cunnigham, “2020 was the era of remote work and as the workforce adjusted, information technology professionals scrambled to support this level of remote activity by enabling a wide variety of remote connectivity methods.”
In the Threat Landscape Report, Cunniham mentioned that “this added multiple new attack vectors that enabled threat actors to prey on organizations, which is what we started to see in Q1 and are continuing to see today.”