Dive Brief:
- Remote access made business continuity possible throughout the pandemic. But VPN exploitation rose as hackers scanned for unpatched VPNs, including easily exploitable vulnerabilities, according to Trustwave's 2021 Network Security Report, released Thursday.
- Among those vulnerabilities was CVE-2019-19781 in versions of the Citrix Application Delivery Controller and Citrix Gateway Directory. Citrix provided patches a month after issuing an advisory in December 2019. People scanned more for the VPN versions in the beginning of 2020, SANS found.
- By the end of 2020, 5% of total VPN vulnerabilities remained unpatched, Trustwave found, including a two-year-old Fortinet FortiOS SSL VPN path traversal vulnerability.
Dive Insight:
IT tools that enable everyday work — especially in a remote environment — carry similar importance in business continuity but different security risks.
VPNs allow remote employees to virtually log in to a desired network and ensure a hidden IP address and location. Remote desktop protocol (RDP) takes it a step further, according to NordVPN. With any internet connection, employees can virtually connect to their workplace desktop, with a full range of actions like changing administrative settings or launching applications.
Cybercriminals targeted VPNs prior to the pandemic but the last year "highlighted some of the challenges of VPNs," Prutha Parikh, senior manager of security research at Trustwave SpiderLabs, told Cybersecurity Dive in an email. It is not a scalable solution, so widespread use during the pandemic exacerbated any given company's security bandwidth.
A legacy VPN played a role in the Colonial Pipeline cyberattack, CEO Joseph Blount testified before the Senate Homeland Security & Government Affairs Committee this month. The version the company was using did not have multifactor authentication, which further protects network access.
The VPN's role in the enterprise is now challenged by zero trust architectures, enabled by cloud-based environments, Parikh said. Zero trust denies all access by default unless explicitly confirmed.
Until the zero trust model becomes more common, VPNs and RDP will continue to define IT during the pandemic, which makes the solutions even more attractive targets. "Allowing users to directly access servers over the internet using RDP is a huge security risk for an organization," Parikh said. The best defense is disabling internet-facing RDP, unless it's crucial for business operations. If it's critical, patching must be often and routine.
RDP played a role in 90% of cyberattacks, according to Sophos' Active Adversary Playbook 2021 report. The research is based on data from Sophos telemetry and incident reports between 2020 and 2021 from the Sophos Managed Threat Response and Rapid Response teams.
RDP was also found in 69% of cyberattacks with internal lateral movement, but only 4% of cases used RDP for external access. Overall, remote access services, including RDP, were found in 30% of attacks, according to Sophos.
On Jan. 8, more than 200,000 machines were vulnerable to Bluekeep, exploitable amid the SolarWinds attack, Trustwave said. The vulnerable tools were part of FireEye's compromised read team tools. By June, exploitable machines reduced to 128,000. However, "if the query is limited to machines running Windows Remote Desktop Protocol, there are still nearly 30,000 results," the Trustwave report said.
VPNs and remote access gateways can complement RDP to broker external connections, Parikh said. If companies limit the employees who are able to use RDP connections and disallow "external connections to local machines on the RDP port are some of the other best practices." Because of the threat landscape, companies should be standing up proactive and reactive security features.
