With most employees working from home amid today’s COVID-19 (coronavirus) outbreak, enterprise VPN servers have now become paramount to a company’s backbone, and their security and availability must be the focus going forward for IT teams.
“It will be very important [that] the VPN service is patched and up-to-date because there will be way more scrutiny (scanning) against these services,” said Guy Bruneau, an ISC SANS instructor in a post last week.
Bruneau’s warning is just one of the many cybersecurity industry alerts published over the past few days on the topic of VPN security.
Similar warnings and security bulletins were published by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), and cyber-security firm Radware.
The perfect time to detect VPN account compromises
According to Bruneau, it is now more important than ever that companies and IT staff set up systems to capture metrics about the performance and availability of VPN services.
The ISC SANS instructor says these systems will help companies avoid downtime of mission-critical VPN services, especially now since employees work from home, and the VPN service represents the most secure way of accessing company networks and private resources.
Bruneau encourages companies to sift through logs to detect compromises of VPN accounts. Since most employees will now be using VPN systems, they are more likely to fall for phishing attacks that steal VPN account credentials.
In theory, with the proper logging in place, it should now be much easier to spot compromised accounts by looking at irregular VPN usage patterns for each enterprise user working from home.
“The activity that should be scrutinized over the coming weeks would be ports associated with VPN like OpenVPN (1194) or SSL VPN (TCP/UDP 443, IPsec/IKEv2 UDP 500/4500) with their associated logs to ensure these services are accessed by the right individuals and are not abused, exploited or compromised,” Bruneau said.
Enable MFA for VPN accounts
In the light of an expected increase in VPN phishing attacks, the ISC SANS expert recommends that companies look very closely at enabling a multi-factor authentication (MFA) solution to protect VPN accounts from unauthorized access.
His recommendation was also echoed by the NJCCIC and DHS CISA in a US-CERT alert the agency sent out last week.
In a report last year, Microsoft said that enabling a MFA solution for online accounts usually blocks 99.9% of all account takeover (ATO) attacks, even if the attacker has valid credentials for the victim’s account.
Also: Protect yourself: How to choose the right two-factor authenticator app
VPN servers should be patched and up-to-date
But besides enabling MFA to protect VPN accounts for employees working from home, CISA also recommended that companies review the patching levels of corporate VPN products. The same advice was also echoed today in a Radware security alert.
Both CISA and Radware point out that corporate VPN solutions have been the targets of a wide range of attacks that began over the 2019 summer.
Attacks targeted VPN servers from Palo Alto Networks, Fortinet, Pulse Secure, and Citrix:
• Palo Alto Network Security Advisory PAN-SA-2019-0020, in relation to CVE-2019-1579;
• FortiGuard Security Advisories FG-IR-18-389, in relation to CVE-2018-13382; FG-IR-18-388 in relation to CVE-2018-13383; FG-IR-18-384, in relation to CVE-2018-13379;
• Pulse Secure Security Advisory SA44101, in relation to CVE-2019-11510, CVE-2019-11508, CVE-2019-11540, CVE-2019-11543, CVE-2019-11541, CVE-2019-11542, CVE-2019-11539, CVE-2019-11538, CVE-2019-11509, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11507CVE-2019-11507.
• Citrix Security Advisory CTX267027, in relation to CVE-2019-19781.
All of these systems should have been patched last year when the vulnerabilities were disclosed, and the first attacks began hitting organizations.
With more and more companies needing VPN capabilities to allow workers to log into private corporate systems and do their duties, IT staff are responding by putting up more VPN servers to deal with the surging traffic.
IT staff now need to pay close attention to the new VPN servers they are putting up and make sure these systems have been patched for the vulnerabilities listed above, which are some of the most targeted vulnerabilities today.
The danger of DDoS attacks on VPN servers
But with so many organizations moving their employee workforce to work-from-home jobs, there is now a new threat on the horizon — extortions.
Hackers could launch DDoS attacks on VPN services and exhaust their resources, crashing the VPN server and limiting its availability.
With the VPN server acting as a gateway to a company’s internal network, this would prevent all remote employees from doing their jobs, effectively crippling an organization that has little to no workers on-site.
Radware says that these types of DDoS attacks don’t even have to be massive in size.
In a non-public report seen by ZDNet, Dileep Mishra, a Sales Engineering Manager at Radware, says that a fine-tuned TCP Blend (DDoS) attack with an attack volume as low as 1 Mbps is enough to crash a VPN server or a firewall.
Furthermore, SSL-based VPNs (like Pulse Secure, Fortinet, Palo Alto Networks, and others) are also vulnerable to an SSL Flood (DDoS) attack, just like web servers, Mishra said.
Attackers can initiate thousands of SSL connections to an SSL VPN, and then leave them hanging. The VPN server allocates resources to deal with the flood of the attacker’s useless connections, exhausting memory, and preventing legitimate users from using the service.
Furthermore, because even the IT staff will most likely be working from home, any weakness left in VPN servers would be exploited by attackers to cut off system administrators from their own servers while they rampage through the internal network, steal proprietary data, or install ransomware.
Other considerations
But VPN servers are only one option in an array of remote/telework tools available to companies today.
The NJCCIC also recommends that companies pay close attention to the security of cloud and Software-as-a-Service (SaaS) applications that remote workers will be using in the coming months because of the COVID-19 outbreak.
Similarly, Radware also warns about the increased usage of Remote Desktop Protocol (RDP) connections inside companies with ever-increasing remote workforces. RDP endpoints and accounts will need to be properly secured as well, just like VPNs.
Last, but not least, Bruneau also lays out a series of questions and considerations that companies will need to ponder if they’re using VPN systems to grant remote workers access to their internal networks.
- How many concurrent users can login at the same time?
- Will the VPN corporate policy be relaxed to accommodate the maximum of employees?
- Who gets priority access if the appliance or service cannot support everyone?
- How much bandwidth a typical user uses?
- Do you split access time between users (i.e. each gets 2 hours)?
- Number of VPN licenses or MFA tokens available?
- Are users allowed to use the personal computer?
- If personal computers are allowed: (1) What is their security posture (patches, AV update, etc.)? (2) Can they be trusted? (3) What files or shares are employees allowed to access?