Virtual private network (VPN) services have emerged as essential tools for modern businesses in recent years, doubly so since they helped save the day for many of them in the pandemic-fueled scramble for remote work in 2020. Creating a Service encrypted tunnel for corporate data traveling between corporate networks and employee devices, VPNs help protect sensitive information without compromising employee productivity or crippling companies’ mission-critical operations. As many organizations have since adapted to a hybrid workplace model that combines in-office and on-the-go work, remote access VPNs have remained a staple in network connectivity and security toolkits.
On the other hand, VPNs have also come under increasing scrutiny due to the rise of security vulnerabilities and exploits targeting them, sometimes even before patches are implemented. As VPNs potentially represent the keys to the corporate realm, their appeal to both state actors and cybercriminals is undeniable. Adversaries are dedicating significant resources to finding weaknesses in enterprise software stacks, which puts additional pressure on organizations and highlights the importance of robust risk mitigation practices.
In an era where mass exploitation of security flaws, large-scale supply chain attacks, and other breaches of corporate defenses are increasingly common, concerns are growing not only about the ability of VPNs to help safeguard data companies from bad actors, but also on the fact that this software itself is another source of cyber risk.
This begs the question: Could enterprise VPNs be a liability that increases your organization’s attack surface?
The keys to the kingdom
A VPN routes user traffic through an encrypted tunnel that safeguards data from prying eyes. The main raison d’être of a corporate VPN is to create a private connection over a public network or the Internet. In doing so, it allows a geographically dispersed workforce to access internal networks as if they were sitting at their office desk, essentially making their devices part of the corporate network.
But just as a tunnel can collapse or leak, a vulnerable VPN appliance can face all manner of threats. Outdated software is often the reason why many organizations fall victim to an attack. Exploiting a VPN vulnerability can allow hackers to steal credentials, hijack encrypted traffic sessions, remotely execute arbitrary code, and give them access to sensitive corporate data. This 2023 VPN Vulnerabilities Report provides a handy overview of VPN vulnerabilities reported in recent years.
In fact, just like any other software, VPNs require maintenance and security updates to patch vulnerabilities. However, it seems that companies are struggling to keep up with VPN updates, partly because VPNs often have no scheduled downtime and are instead expected to always be up and running.
Ransomware groups are known to often target vulnerable VPN servers, and by gaining access at least once, they can move within a network to do whatever they want, such as encrypting and holding data for ransom, exfiltrating it, conducting espionage and more. In other words, successful exploitation of a vulnerability paves the way for further malicious access, potentially leading to widespread compromise of the corporate network.
Cautionary tales abound
Recently, Global Affairs Canada launched an investigation into a data breach caused by a compromise of its preferred VPN solution, which had been ongoing for at least a month. Allegedly, hackers managed to access an unknown number of employee emails and various servers to which their laptops connected starting on December 20th2023, until January 24thth2024. It goes without saying that data breaches incur immense costs: on average $4.45 million, according to IBM’s Cost of a Data Breach 2023 report.
In another example, Russian-aligned threat actors targeted five vulnerabilities in enterprise VPN infrastructure products in 2021, prompting a public advisory from the NSA urging organizations to apply patches as soon as possible , otherwise they ran the risk of hacking and espionage.
Another concern is design flaws that are not limited to a particular VPN service. For example, the TunnelCrack vulnerabilities, recently discovered by researchers and affecting many corporate and consumer VPNs, could allow attackers to trick victims into sending their traffic outside the protected VPN tunnel by snooping on their data transmissions.
Critical security updates are needed to close these types of security gaps, so keeping them updated is a must. The same goes for employee awareness, as another traditional threat involves bad actors using deceptive websites to trick employees into giving up their VPN login credentials. A fraudster can also steal an employee’s phone or laptop to infiltrate internal networks and compromise and/or exfiltrate data or silently snoop into company activities.
Data protection
A company should not rely solely on its VPN as a means of protecting its employees and internal information. A VPN does not replace regular endpoint protection or other authentication methods.
Consider implementing a solution that can aid in vulnerability assessment and patching as the importance of staying up to date on security updates released by software manufacturers, including VPN providers, cannot be stressed enough. In other words, regular maintenance and security updates are one of the best ways to minimize the chances of a successful cyber incident occurring.
Importantly, take additional measures to harden your favorite VPN against compromise. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) of the United States have published a handy booklet outlining various precautions that do just that. This includes reducing the attack surface, using strong encryption to encode sensitive company data, strong authentication (such as an added second factor in the form of a one-time code), and monitoring VPN use. Use an industry-standard VPN from a trusted provider with a proven track record of following cybersecurity best practices.
No VPN software guarantees perfect protection, and a company would be foolhardy to rely solely on it for access management. Organizations can also benefit from exploring other options to support a distributed workforce, such as the Zero Trust security model that relies on continuous user authentication, as well as other controls, which include continuous network monitoring, privileged access and secure multi-level authentication. . Add endpoint detection and response to the mix, as this can, among other things, reduce the attack surface, and its AI-based threat detection capabilities can automatically highlight suspicious behavior.
Also, consider the VPN security you have or want. This means that VPNs can differ in what they offer, as there is much more going on under the surface than just setting up a simple connection to a server as it may also include various additional security measures. And VPNs may also differ in how they handle user access—one might require constant entry of credentials, while another might be a one-time thing.
Parting thoughts
While VPNs are often a crucial component for secure remote access, they can be, especially in the absence of other security practices and controls, juicy targets for attackers trying to break into corporate networks. Various Advanced Persistent Threat (APT) groups have recently weaponized known vulnerabilities in VPN software to steal user credentials, remotely execute code, and extract corporate crown jewels. Successful exploitation of these vulnerabilities typically paves the way for further malicious access, potentially leading to large-scale compromises of enterprise networks.
As working models evolve, the demand for remote access persists, underscoring the ongoing importance of prioritizing the security of a dispersed workforce as a core element within an organization’s security strategy.