When ransomware strikes, the primary query each security crew asks themselves is how the attackers bought inside what was speculated to be a well-defended community.
Lately, the query is requested inside minutes of the assault being found, and for good motive. With out understanding the weak spot that led to an assault, resolving it’s a mission unattainable.
Compromised credentials are normally concerned someplace alongside the road, however which of them? As multi-factor authentication (MFA) is utilized to increasingly more person credentials, proof means that attackers more and more look to much less documented connections which have slipped by way of this web similar to VPNs.
However let’s begin with the excellent news – because of insurers we’re attending to see the issue in all its ugly glory. Previously, all the information on vulnerabilities was within the fingers of distributors, which is maybe why in some circumstances, the ugly reality wasn’t all the time spelled out.
For instance, based on a latest report by Corvus Insurance coverage, 28.7% of claims in Q3 2024 have been traced to weak VPN security, a surge from solely 4.8% within the earlier quarter. A typical drawback was an absence of multi-factor authentication (MFA) on these connections however vulnerabilities within the VPN gateways have been one other situation.
The report doesn’t point out it however an instance of the latter is CVE-2024-40766, a CVSS 9.3-rated flaw affecting SonicWall VPN {hardware} which security firm Arctic Wolf has observed is underneath lively exploitation by a minimum of two ransomware teams in latest weeks.
And it’s not simply VPNs from one firm – any in style VPN gateway is usually a threat. Across the time of the SonicWall report, Cisco patched CVE-2024-20481, a vulnerability relationship again to April 2024 when large-scale brute forcing assaults have been launched towards its VPN and SSH gateways.
One other insurer, At-Bay, has even gone so far as to state that it believes that VPNs have just lately changed notoriously weak spots similar to distant desktop protocol (RDP) because the ransomware vector of alternative. Given how disastrous RDP is meant to be, that ought to trigger admins to take observe.
What’s going on?
Whereas VPN compromise shouldn’t be new, what has modified is the quantity obtainable to focus on at a time of elevated distant working. One other issue is that credentials for distant entry applied sciences similar to RDP are being higher secured with MFA, which forces attackers to look elsewhere.
Nonetheless, an attention-grabbing theme from insurer information is the difficulty of on-premise VPNs, which stay in style as a result of they’re cheaper to run than managed cloud VPNs assuming you’ve already invested within the {hardware}.
“Our information reveals that companies that use self- managed VPNs, applied on-premises and maintained by in-house IT groups, are related to a significantly greater threat of a security incident than companies that don’t use self-managed VPNs,” famous At-Bay’s report.
“Self-managed” consists of Citrix SSL connections not protected by MFA, the weak spot that led to the large Change Healthcare ransomware assault from earlier this yr.
VPN, power or weak spot?
The irony of all that is that VPNs are commonly cited as a security expertise. However based on one other security firm, Specops, 2,151,523 VPN passwords have been compromised by malware over the earlier 12 months, every one offering gas for brand new assaults.
“If VPN passwords have gotten compromised, these nice cybersecurity advantages [of VPNs] might be undone and truly provide a route into your group for attackers,” stated senior product supervisor, Darren James, hitting the nail completely on the top.
And it doesn’t require a lot sophistication; VPNs are in every single place, their weaknesses simply found, and the patching of on-premise gateways stays too sluggish. Not for the primary time, attackers flip a expertise designed to enhance security on its head.
