VPN Vulnerabilities As a Target: Virtual Private Not At All
If you thought VPNs were secure or private, think again.
Our most recent research, “Perils in the Periphery”, examines threat data from January 1 to July 31, 2024 (2024H1) compared with our data from the first half of 2023. We discovered two observable and notable trends:
- VPN vulnerabilities are heavily targeted by major threat groups
- State-sponsored actors are using hacktivist personas as a disguise
The first half of 2024 has also had changes to the threat landscape, including a 43% surge in published vulnerabilities and an increase in ransomware incidents. Understanding all of these new threats is essential for improving an organization’s security posture and cyber resilience.
VPN Vulnerabilities Are Massive Targets
The trend of exploits targeting perimeter and network infrastructure devices has only increased in 2024H1. VPNs have been a primary target during this period as threat actors have exploited a series of vulnerabilities in widely used solutions, such as Ivanti Connect Secure, Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD) and FortiOS SSL VPN, leading to unauthorized access.
These attacks frequently utilized zero-days or recently disclosed vulnerabilities that had not yet been patched. The motivations behind these attacks typically included espionage, data theft and the disruption of critical services, particularly in sectors heavily reliant on remote access. Specific examples include:
- Chinese APTs, such as Volt Typhoon, are exploiting FortiOS SSLVPN vulnerabilities for initial access and deploy custom malware on over 20,000 devices worldwide, including a Dutch military network.
- The ArcaneDoor campaign, attributed to STORM-1849, gained unauthorized access to government networks worldwide via Cisco’s SSL VPN services.
- The Chinese group RedJuliett exploits known vulnerabilities in firewalls, VPN appliances and load balancers to gain initial access into Taiwanese organizations for intelligence gathering.
In response to this wave of attacks, CISA released a guide on “modern approaches to network access security” discussing how organizations can replace VPNs with solutions including SASE. Similarly, Norway’s cybersecurity center recommended that organizations replace their SSL VPN solutions with alternatives using IPsec.
Key Findings:
- Published vulnerabilities increased by 43%
- The number of CVEs added to CISA KEV decreased by 23%
- 20% of new exploited vulnerabilities target VPN or network infrastructure appliances
- 387 threat actors tracked in 2024: China has the most
- The most targeted countries are the US, Germany and India
- The top targeted verticals are government, financial services and technology
- We observed 3,085 ransomware attacks, a 6% increase.
- 441 attacks per month or 15 per day
- The number of active groups grew 55%
Go deeper: 2024 has been a year for risky network assets. See all of them in our roundup “Riskiest Connected Devices”. Plus, watch our on-demand webinar Daniel dos Santos, Senior Director of Research, Vedere Labs.
Critical Infrastructure in the Crosshairs
Lines Blur Between Hacktivists and State-Sponsored Actors
In 2022, we reported on a trend of hacktivists aligning with geopolitical conflicts and expanding their TTPs from defacements and DDoS to data leaks and disruption of cyber-physical systems. Nearly two years later, the trend has evolved to state-sponsored actors using hacktivist personae to conduct some of their attacks. This shift may be driven by several factors, such as increased visibility of campaigns and plausible deniability for the actors.
Notable early examples include “Predatory Sparrow,” which poses as a hacktivist group rebelling against the Iranian state, but is believed to be affiliated with Israel. Similarly, Iranian groups like “Karma Power” and “The Malek Team” have targeted Israeli critical infrastructure and are thought to be affiliated with Iran’s Ministry of Intelligence or the Islamic Revolutionary Guard Corps.
Critical infrastructure organizations continue to be disproportionally targeted by this type of threat actor. Notable examples in 2024H1 include:
- The Cyber Army of Russia, believed to be linked to Sandworm, launched an attack against a wastewater treatment plant in the U.S. This attack occurred a month after the White House warned of hackers targeting U.S. water systems.
- The BlackJack group, thought to be affiliated with Ukrainian intelligence, used the custom malware Fuxnet to disable thousands of sensors monitoring Moscow’s sewage system.
- The Ikaruz Red Team, believed to be affiliated with China, deployed ransomware created using builders from several known families, such as LockBit, Cl0p and ALPHV to disrupt the government of the Philippines.
Partly due to the increase in attacks like these, OT device manufacturer Rockwell Automation issued an alert in May, warning their users to take internet-exposed devices offline “due to heightened geopolitical tensions and adversarial cyber activity globally”.
Mitigation Guidance
For complete, detailed mitigation recommendations, charts on CISA KEV and Vedere Labs KEV, threat actors, and much more, read the complete research report.
We encourage organizations to prioritize extending visibility, risk assessment and proactive controls to cover the increased attack surface of VPNs and network perimeter assets and appliances being exploited. In addition, we urge organizations to follow specific recommendations for disconnecting internet-exposed operational technology and replacing SSL VPNs.
After implementing proactive controls, ensure that threat detection and response systems encompass every device within the whole organization. Since threats now move from one type of device to another, it is crucial to detect them throughout the entire organization – from an entry point such as a vulnerable router, to a pivot point, like a misconfigured workstation, and finally to a target such as an insecure OT device. Ensure your threat detection solution covers all device types and ingests multiple data sources, including firewalls, intrusion detection systems, endpoint detection and response (EDR) and other security tools.