HomeHacking Outside the Box – VPN as an Attack Vector
Hacking Outside the Box – VPN as an Attack Vector
February 28, 2020
In early February of this year, it became public knowledge tjhat hacking groups based out of the country of Iran were actively exploiting vulnerabilities in Virtual Private Network (VPN) software. Vendors with exploitable software include Pulse Secure, Palo Alto Networks, Fortinet, and Citrix. According to researchers at ClearSky, the exploits, though, may actually date back as far as 2017, when two Advanced Persistent Threat (APG) groups known as APT33-Elfin and APT39-Chafer joined forces to target networks in Israel, the United States, and other allied nations of the two.
Unlike many high-profile, Denial of Service (DoS)
and defacing attacks for which credit is quickly taken by hackers and hacking
groups sympathetic to U.S. adversaries, these groups operated stealthily in
order to achieve a much more lucrative and long-term goal. Specifically, the
hacks of vulnerable VPN software are perpetuated in order to gain a foothold
within a network that can remain long after the point of ingress has been
patched. Essentially, the Iranian groups in question used the VPN vulnerability
only as a point of ingress. According to a ZDNet
article on the subject, the hackers only needed the few hours of lead time
provided by the then “zero-day” vulnerability to gain access to the internal
networks of undisclosed – and likely unaware – networks.
The pros of the attack
vector are various. First and foremost, exploiting the software that is
specifically designed to secure remote network connectivity is ingenious. This
is based upon the fact that most companies focus remediating vulnerabilities
via traditionally-exploited vectors with notable names, such as Adobe and Microsoft.
Another one is the fact that the hackers only needed to leverage the VPN
vulnerabilities a single time, in order to set up backdoors through which they
could later return to harvest something even more important, the terabytes of
data stored within. A pro within a pro is that the manner in which they are
believed to have set up the backdoors, via methods such as establishing RDP
links over SSH tunneling, masks much of their presence and, on top of that,
encrypts the data being exfiltrated. This makes it very probable that many
companies who have been hacked via this method are still none the wiser.
Quite honestly, the
strategy undertaken by Iranian hackers really has no cons. They exploited a
zero-day vulnerability within what is generally considered to be a
security-minded software and planted nearly undetectable backdoors. Unique –
and although hesitantly said, innovative – hacking approaches such this VPN one
will once again require Cybersecurity professionals to “up their game” and add
one more “high profile” concern to the already long list of attack vectors
which must be protected against. Additionally, it serves as a good reminder to
even the general user that security updates and other patches for all software on
their computers should be installed as soon as it becomes available. As
displayed by this case, to do otherwise is just asking for cyber trouble.
Justin Gehrke is a veteran Cybersecurity consultant. His vision is to help foster a true Culture of Cybersecurity Compliance across public and private IT sectors. In his spare time, he enjoys reading and herding unruly packets.