In 2020,
a set of passwords, usernames and IPv4 addresses for over 900 VPN servers from Pulse Secure was made
available online alongside some other credentials. Those other details are SSH
keys to access each server, administrator account details, a compilation of
every user with their password hash, previous VPN sign-ins and VPN-related session
cookies.
Now, in
what way did cyber-attackers access the above-mentioned pieces of information?
Those
leaked details also drew special attention to the firmware version of every
single VPN server. Interestingly, every listed server was operating on an older
firmware version, which has a vulnerability related to reading an arbitrary
file that is called CVE-2019-11510.
As per
researchers, the cyber-attackers scanned every IPv4 address and took advantage
of that CVE-2019-11510 vulnerability to access each company’s server details
and sensitive systems. On the basis of timestamps, they collected the
information from June 24 to July 08, 2020.
When the
scan happened, 617 IP addresses featured online were susceptible to CVE-2019-11510.
That was the case, despite the revelation of that vulnerability in 2019 as well
as the fact that users were prompted to instantly change their passwords and
use the security patch.
It Is
High Time To Evaluate Remote Access Again
VPN
server use has increased due to the proliferation of remote work; a piece of
research shows a 124% rise in March last year itself. More than before,
third-parties and workers turn to VPNs for remote access to corporate networks,
plus the occasional access to important business applications and systems to
perform their tasks. Anyhow, VPNs offer network access, plus these are not made
for offering access to important internal systems on a privileged basis.
The growing
dependence on virtual private networks has caught the attention of
cyber-attackers when they seek to exploit the COVID-19-infused
dynamic environment. Many of those attackers were
successful at exploiting that.
Exploiting
VPN server vulnerabilities and accessing sensitive systems, allow them to not
only deploy ransomware and encrypt whole networks but also demand big ransoms. In
the US, $84,000 is their average ransom amount demand, plus incidents usually cause
servers to go down for 16 days.
VPNs
have conventionally served a critical role, but many breaches including this
one underline why organizations must re-evaluate how they offer access to their
most sensitive corporate network aspects.
When looking at ways of connecting remote workers and vendors,
striking the best balance between usability and security is a must. As for Doron Naim of CyberArk Labs, the following factors
enable enterprises to accomplish that balance with no expensive trade-offs.
- Progresses in ZTNA (Zero Trust Network Access),
which offers granular-type access to some critical system rather than the
entire network
- Biometric MFA (multi-factor authentication)
- Just-in-time (JIT) provisioning
Such approaches, coupled with the isolation and handling of privileged sessions, could sometimes eliminate the
requirement for a virtual private network and the related operational load on
IT administrators.
