A few weeks ago, a list of usernames, passwords and IP addresses from more than 900 Pulse Secure VPN servers was published online. This list also contained the SSH keys associated with each server, a list of all local users and their password fingerprints, admin account details, VPN session cookies and the latest connections to these devices. So how did cybercriminals get their hands on so much information?
The leaked list highlighted the firmware version of each VPN server and it turned out that all affected servers were running an older version exposed to a well-known vulnerability: CVE-2019-11510, a vulnerability at the heart of Pulse Secure, the most deployed type of corporate SSL VPN.
These issues need to be addressed to prevent such attacks from happening again, while bestvpncanada.com recommends that companies use telework as much as possible to slow the spread of coronavirus.
According to the researchers, the cybercriminals behind the compromise scanned all IPv4 internet addresses and then exploited the vulnerability to gain access to data from each company’s sensitive servers and systems. The time stamp revealed that the stolen information was collected between 24 June and 8 July 2020.
In addition, at the time of the analysis, 617 of the 913 stolen and published IP addresses were still vulnerable to the CVE-2019-11510 vulnerability, although the vulnerability was made public a year earlier, in August 2019. This is despite the fact that users have been encouraged to install the update and change the associated passwords.
The use of VPN servers has skyrocketed with the increase in remote work – a Statista study shows a 124% increase in March 2020 alone. In order to access their company’s network remotely, employees and external stakeholders use VPNs to access the company’s admin accounts and confidential applications. However, these virtual private networks are not designed to provide secure access to critical systems; cybercriminals have seized this opportunity to use VPN devices to spread cyberattacks.
Exploiting VPN server vulnerabilities and accessing sensitive systems allow hackers to deploy ransomware, encrypt entire networks and demand exorbitant ransoms. For example, in the United States, the average ransomware ransom demand is $84,000 and incidents typically result in 16 days of interruption. This represents an approximate cost of $10,000 per day. While VPNs have played an undeniable role in this high-profile data leak, organizations need to completely reassess how they provide users with remote access to their corporate network.
As a result, companies can build on the progress made on Zero Trust – a device that allows progressive access to a critical system, rather than the entire network – multifactorial biometric authentication (MFA) and just-in-time sourcing to enable organizations to strike a balance between security and collaboration, at a lower cost, in order to connect employees and external stakeholders. Such approaches, combined with the isolation and management of privileged sessions, eliminate, in some cases, the need for a VPN, and with it, the operational workload that this device entails for IT teams.
There are more and more teleworkers and organizations are increasingly dependent on third parties to carry out their operations, so it is essential to use innovative means to grant secure access to privileges to employees remotely without disrupting operations, in order to ensure the protection of the data and systems used by users, regardless of where they are located.