Since the pandemic outbreak, virtual private networks (VPNs) have become a favorite target for hackers. VPNs have become vital for many firms that offer distant employees access to private networks.
According to Bart Vanautgaerden, senior incident response consultant at Mandiant, VPN technology has become crucial for remote access for workers worldwide. But the main question is when cybercriminals started using VPNs and did the threat grow during the pandemic?
During the two-and-a-half years leading up to and throughout the COVID-19 outbreak, a Mandiant team looked at cyberattacks targeting VPNs. According to their statistics, it’s unclear whether the surge in remote work or the function of VPN devices in a workplace network is a more substantial cause of attacks.
Vanautgaerden explains that VPN equipment is a tempting target for attackers because of its location on the network. Not because of the epidemic, but because of the leverage point and its footing in remote networks.
As this is not the first instance attackers have targeted VPNs, the response team discovered the intruder had leveraged a zero-day vulnerability (CVE-2021-22893) to breach the fully patched VPN before pivoting into target networks.
Usually, information such as IP addresses would aid the response team, but in this case, the attackers went out of their way to employ IP addresses from where VPN clients would generally connect.
They also deployed anti-forensic measures on the VPN equipment, erasing logs and data and taking special care not to leave any evidence of their activities. They took further steps to blend into their target environment within the network, where ordinarily incident responders may observe an attacker running malware on computers or dumping executables, he says.
In this campaign, attackers only got remote control over VPN equipment used by victims across the US and Europe. They used 16 malware families, found in the wild, that were explicitly designed to operate on Pulse Secure VPNs, evaded multi-factor authentication to steal identities, and expanded laterally into private networks for accessing Microsoft 365 public cloud environments or other digital environments, using the credentials that were stolen to do so.
Mandiant first reported on the event in April, focusing on victims in the defense industrial base in the United States. Many more organizations have approached the business since the first revelation, according to Vanautgaerden. Consequently, the team has learned more about larger cyberattacks that may be similar to the one they initially identified.
The perpetrators of the attacks in the United States and Europe are linked to different groups, according to Vanautgaerden. But it’s unclear whether they are special teams cooperating or exchanging information or whether they’re entirely different teams.
During his next Black Hat Europe session, “APTs Go Teleworking: The Rise of VPN Exploits,” Vanautgaerden will provide further details about this research from a European viewpoint, as well as best practices in digital forensics and incident response.