With most employees working from home amid the COVID-19 (coronavirus) outbreak, VPN servers have now become paramount to a company’s backbone, and their security and availability must be the focus going forward for IT teams. It is now more important than ever that companies and IT staff set up systems to capture metrics about the performance and availability of VPN services.
CISA (Cybersecurity and Infrastructure Security Agency) has issued an advisory for all VPN servers and client software.
Here are some tips for securing company resources in remote working:
- Enable MFA for VPN Accounts: Companies should enable Multi-Factor Authentication (MFA) solutions to protect VPN accounts from unauthorized access.
- Patch and update VPN Servers: Companies should review the patch levels as corporate VPN solutions have become the target of widespread attacks since the summer of 2019.
- Deter a DDoS (distributed denial of service) attack on VPNs: A hacker can launch a DDoS (distributed denial of service) attack on a VPN service and exhaust its resources, thereby crashing the VPN server and limiting its availability.
- Stay vigilant regarding expected COVID-19 phishing scams: avoid social engineering and phishing attacks during these uncertain times when employees are distracted and may be prone to click on untrusted sources for news updates.
Enable Multi-Factor Authentication for VPN accounts
In the light of an expected increase in VPN phishing attacks, companies should look very closely at enabling multi-factor authentication (MFA) solution to protect VPN accounts from unauthorized access. In a report last year, Microsoft said that enabling an MFA solution for online accounts usually blocks 99.9% of all account takeover (ATO) attacks, even if the attacker has valid credentials for the victim’s account.
VPN servers must be patched and updated
In addition to enabling MFA to protect VPN accounts for employees working from home, organizations should review the patching levels of corporate VPN products.
Previous attacks have targeted VPN servers from vendors such as Palo Alto Networks, Fortinet, Pulse Secure, and Citrix. Patches should be applied, and advisories should be followed, for critical vulnerabilities mentioned below:
- Palo Alto Network Security Advisory PAN-SA-2019-0020, in relation to CVE-2019-1579
- FortiGuard Security Advisories FG-IR-18-389, in relation to CVE-2018-13382; FG-IR-18-388 in relation to CVE-2018-13383; FG-IR-18-384, in relation to CVE-2018-13379
- Pulse Secure Security Advisory SA44101, in relation to CVE-2019-11510, CVE-2019-11508, CVE-2019-11540, CVE-2019-11543, CVE-2019-11541, CVE-2019-11542, CVE-2019-11539, CVE-2019-11538, CVE-2019-11509, CVE-2019-11507.
- Citrix Security Advisory CTX267027, in relation to CVE-2019-19781.
- Cisco AnyConnect Security Advisory cisco-sa-20190515-anyconnectclient-oob-read in relation to CVE-2019-1853
With more and more companies needing VPN capabilities to allow workers to log into private corporate systems and do their duties, IT staff are responding by putting up more VPN servers to deal with the surging traffic. IT staff now need to pay close attention to the new VPN servers they are putting up and make sure these systems have been patched for the vulnerabilities listed above, which are some of the most targeted vulnerabilities today.
The danger of DDoS attacks on VPN servers
With so many organizations moving their employee workforce to work-from-home roles, there is now a new threat on the horizon — extortions. Hackers could launch DDoS attacks on VPN services and exhaust their resources, crashing the VPN server and limiting its availability for mission-critical operations.
With the VPN server acting as a gateway to a company’s internal network, this would prevent all remote employees from doing their jobs, effectively crippling an organization that has little to no workers on-site. Furthermore, SSL-based VPNs (like Pulse Secure, Fortinet, Palo Alto Networks, and others) are also vulnerable to an SSL Flood (DDoS) attack, just like web servers.
Social Engineering and phishing attacks are common tactics for hackers
The rapid introduction of work-from-home accelerates the risk from adversaries. Remind employees to stay aware of potential phishing attempts, and if in doubt, don’t open or click on unknown or suspicious emails. People are sometimes the weakest link that malicious actors target in their stealthy attempts to inflict damage or steal sensitive data.
Netsurion EventTracker SOC Actions
The EventTracker SOC is monitoring VPN reports diligently to identify irregular VPN usage patterns, making it easier to alert on infected accounts. We will promptly notify you of any suspicious activity.
With the increased use of remote work, organizations should ensure that their VPN solution is monitored, patched, and closely managed to protect against active exploits. Expect phishing emails and social engineering attempts related to COVID-19 to continue, especially against high-value targets like sysadmins in order to steal credentials. Please don’t hesitate to contact Netsurion or your customer success manager with any questions or to discuss something suspicious.