The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have issued advice for tightening the security of virtual private network (VPN) solutions.
The two agencies have produced a document to assist organizations in strengthening their defenses, especially against cyberattacks from nation-state enemies, who have previously used VPN flaws to “steal passwords, remotely execute codes, degrade encrypted traffic’s encryption, hijack encrypted traffic sessions, and access sensitive data from the device.”
According to the NSA, common vulnerabilities and exposures (CVEs) have been exploited by several nation-state advanced persistent threat (APT) actors to access susceptible VPN devices.
The document explains how to choose VPN solutions that adhere to industry standards and best practices when leveraging strong authentication credentials. Moreover, organizations should purchase products from trustworthy providers with a track record of rapidly patching identified flaws.
For strengthening the VPN, the agencies propose limiting the attack surface of the server by:
- Configuring strong cryptography and authentication
- Protecting and monitoring access to and from the VPN
- Running on strictly necessary features
The release of this document was prompted by threat actors, both financially motivated and state-sponsored, who have recently concentrated on exploiting VPN vulnerabilities to achieve their goals.
The attack vector has enticed government-backed hackers, who have exploited weaknesses in VPN equipment to get into networks belonging to governmental institutions and defense corporations throughout the globe.
The NSA and CISA reported in April that Russian Foreign Intelligence Service (SVR) hackers identified as APT29, Cozy Bear, and The Dukes had successfully exploited and continuing to exploit flaws in Fortinet and Pulse Secure VPN devices for initial entry onto a target network.
This sort of network access vector has also piqued the interest of many ransomware groups. At least seven campaigns have used flaws in Fortinet, Ivanti (Pulse), and SonicWall VPN solutions.