In 2020, a set of passwords, usernames and IPv4 addresses for over 900 VPN servers from Pulse Secure was made available online alongside some other credentials. Those other details are SSH keys to access each server, administrator account details, a compilation of every user with their password hash, previous VPN sign-ins and VPN-related session cookies.
Now, in what way did cyber-attackers access the above-mentioned pieces of information?
Those leaked details also drew special attention to the firmware version of every single VPN server. Interestingly, every listed server was operating on an older firmware version, which has a vulnerability related to reading an arbitrary file that is called CVE-2019-11510.
As per researchers, the cyber-attackers scanned every IPv4 address and took advantage of that CVE-2019-11510 vulnerability to access each company’s server details and sensitive systems. On the basis of timestamps, they collected the information from June 24 to July 08, 2020.
When the scan happened, 617 IP addresses featured online were susceptible to CVE-2019-11510. That was the case, despite the revelation of that vulnerability in 2019 as well as the fact that users were prompted to instantly change their passwords and use the security patch.
It Is High Time To Evaluate Remote Access Again
VPN server use has increased due to the proliferation of remote work; a piece of research shows a 124% rise in March last year itself. More than before, third-parties and workers turn to VPNs for remote access to corporate networks, plus the occasional access to important business applications and systems to perform their tasks. Anyhow, VPNs offer network access, plus these are not made for offering access to important internal systems on a privileged basis.
The growing dependence on virtual private networks has caught the attention of cyber-attackers when they seek to exploit the COVID-19-infused dynamic environment. Many of those attackers were successful at exploiting that.
Exploiting VPN server vulnerabilities and accessing sensitive systems, allow them to not only deploy ransomware and encrypt whole networks but also demand big ransoms. In the US, $84,000 is their average ransom amount demand, plus incidents usually cause servers to go down for 16 days.
VPNs have conventionally served a critical role, but many breaches including this one underline why organizations must re-evaluate how they offer access to their most sensitive corporate network aspects.
When looking at ways of connecting remote workers and vendors, striking the best balance between usability and security is a must. As for Doron Naim of CyberArk Labs, the following factors enable enterprises to accomplish that balance with no expensive trade-offs.
- Progresses in ZTNA (Zero Trust Network Access), which offers granular-type access to some critical system rather than the entire network
- Biometric MFA (multi-factor authentication)
- Just-in-time (JIT) provisioning
Such approaches, coupled with the isolation and handling of privileged sessions, could sometimes eliminate the requirement for a virtual private network and the related operational load on IT administrators.