WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Key Points
ReliaQuest has recently observed widespread exploitation of vulnerabilities in publicly accessible virtual private networks (VPNs) in incidents spanning sectors and geographies. Once attackers gain initial access and compromise systems, they can conduct network or account discovery, brute forcing, or lateral movement. This Threat Spotlight report provides insights into understanding your VPN attack surface, common threat actor techniques, defense recommendations, and how ReliaQuest can support your mitigation efforts.
VPN, a popular method for encrypting transmitted data, secures connections and supports a flexible hybrid workforce. VPN’s popularity—around 45% of the ReliaQuest customer base ingests remote access logging—has led to the availability of multiple providers (e.g., Big-IP by F5, Cisco AnyConnect, Fortinet FortiClient, and Palo Alto GlobalProtect) and implementation types, including:
As the increased popularity and widespread adoption of traditional VPNs have exposed the technology’s limitations, alternative and supplementary solutions have arisen, including:
To assess the attack surface and risk associated with their VPN deployment, organizations should perform a retrospective look into configurations and test expected outcomes. Below, we’ve included some methods from ReliaQuest Threat Research investigations that organizations can use to assess their current posture.
VPNs are a gateway to the internal network, so organizations should pay close attention to their external security controls and publicly available information.
Does your organization regularly review accounts configured for VPN access?
Accounts that do not need VPN access may still be configured for this purpose. We have observed configured accounts that recorded no VPN activity for several months before being compromised. A better option would be to create specific groups within Active Directory (AD) for accounts authorized for VPN access.
Does your organization audit local accounts?
We have noted configurations that allowed local, non-domain accounts to gain internal access via VPNs. These accounts, often created by internal teams or third-party entities for firewall and VPN device setup or maintenance, may lack proper management and oversight and could remain unmonitored.
Does your organization use additional authentication methods such as multifactor authentication (MFA) or certificate-based authentication? Do you review or track accounts not configured to use these methods?
We have investigated dormant accounts within environments that were never disabled after falling into disuse. These accounts often do not have MFA configured, which provides an opportunity for unauthorized initial access.
If your organization does use MFA, does your team understand the risks from techniques like MFA fatigue attacks? Are users encouraged to report anomalous MFA activity?
Although this additional layer of protection is recommended, incomplete deployment of MFA or push notification abuse might lead to bypass attempts like MFA fatigue attacks. The Threat Research team has observed users, bombarded with MFA requests, unwittingly granting access to adversaries. We’ve also witnessed threat actors using social engineering tactics against help desk personnel to reset MFA configurations.
Are help desk phone numbers or password reset links available on your VPN portals? Do you host VPN software downloads within your VPN web portals?
The ReliaQuest Threat Research team has seen VPN login portals that contain help desk information, password reset links, and VPN software download links that have facilitated access attempts for threat actors. Although this information is helpful for remote users, exposing these details introduces risk, and organizations must plan accordingly for related targeting, e.g., social-engineering–based attacks. Some approaches like always-on VPN deployments could also minimize the need for a VPN portal that contains this information.
Has your organization configured and audited administrative logins via web portals or SSH? If so, is this access restricted to certain locations? Are configurations consistent across VPN servers/gateways?
If configured incorrectly, VPN implementations may publicly expose administrator web or SSH access accounts to the internet. If possible, avoid allowing access using admin-level accounts, implement controls to limit authorized locations for these accounts, or limit usage to standard-rights accounts. Public exposure of these accounts also subjects these assets to internet-based attacks aimed at harvesting credentials, like brute forcing and account guessing. Such exposure could inadvertently affect other external services, like O365, since compromised credentials linked to a domain account may be reused across different platforms.
Does your organization have a clear understanding of regions allowed for VPN access?
Organizations that operate from one geographic location may not need to allow access from foreign sources. Implementing controls to restrict access attempts from unexpected locations can help reduce the overall attack surface.
If attackers gain access, it is imperative organizations understand their internal attack surface in order to contain an incident. We’ve observed higher risk of internal access via remote access or SSL VPNs, and as such organizations should ensure that all current VPN controls are in place, review the type of internal access that accounts have across groups, and prevent abuse of this access for actions like discovery.
Does your organization understand the type of traffic allowed between site-to-site VPNs and the resources it can reach?
Before attackers can abuse site-to-site VPN, they must complete some preliminary steps, including initial compromise of a site via other methods. However, it’s important to understand the risk and controls associated with this site-to-site VPN configuration, since it can allow for lateral movement and discovery from a compromised site. Implement a least-privilege approach to limit access to only necessary resources, since access to the entire network is rarely needed. Limit SSH or RDP usage as much as possible and monitor accordingly where it is needed. Consider applying network segmentation for these zones. In some cases, this type of access may be unnecessary if certain applications can be cloud-hosted.
Are there controls in place to restrict access to internal resources from remote access or SSL VPNs? Should these devices or users be allowed to talk to other workstations within the network?
The ReliaQuest Threat Research team has investigated instances of unconstrained access to internal systems from a threat-actor–controlled device after a successful VPN connection, leading to consequences like cyber espionage and double extortion. Ideally, accounts should not be able to attempt remote connections (RDP/SSH) to internal servers from VPN zones. At a minimum, this access should be limited and monitored accordingly.
Besides understanding your attack surface, it’s important to understand methodologies threat actors can take pre- and post-access when targeting publicly accessible VPNs.
By design, VPN devices are exposed to the public internet, making them susceptible to fingerprinting by tools that map and gather information about internet-connected devices and systems, such as Shodan and Censys. A simple query on these platforms can return hundreds, if not thousands, of potential VPN targets for attackers. Once an attacker has passively identified a target, they can quickly pivot to actively assessing the VPN login portals (see Figure 1).
Figure 1: Example login portal for a VPN service
In addition to manual reconnaissance via fingerprinting tools, threat actors might also have access to open-source or custom tools that automate the entire process. For instance, the reconnaissance and exploitation tool Vortex is readily accessible and can be used during multiple stages of attacks, including VPN endpoint detection, account discovery, brute forcing, credential stuffing, and vulnerability exploitation. Such tooling highlights the ease with which even novice cybercriminals can target organizations.
Security researchers are increasingly highlighting the threat from password spraying attacks. This technique, which has been linked to malware like the Brutus botnet, has targeted SSL VPN devices from various vendors. Investigators have also linked this botnet’s infrastructure to advanced persistent threat (APT) groups such as APT29 (aka NOBELIUM, Cozy Bear, and Midnight Blizzard).
Threat actors use publicly accessible information and credentials exposed in past data breaches for valid-account credential abuse. We have encountered instances where threat actors used credentials obtained via infostealer malware within weeks of their acquisition. Alternatively, adversaries might profit from browser syncs in which users sync configurations from their work device to their personal non-monitored devices that might secretly be affected by infostealing malware.
Organizations may see evidence of these attacker techniques within their event logs through more targeted access attempts or brute forcing against acquired account lists. This action is often automated, and IPs may appear in intelligence feeds such as AbuseIPDB, in which users can file abuse reports against IPs following unwanted activity.
Threat actors frequently target VPN devices for exploit development, which has led to the disclosure of multiple high-profile vulnerabilities that allow internal access or on-device actions, including:
Organizations should have internal processes for tracking versions of products deployed, tracking of CVEs applicable to their products, and response plans for any new potential vulnerabilities that might affect their current deployments. These processes should also include plans for potentially taking down these devices for patching or in case of emergencies, understanding of potential impact, who is authorized to perform these actions, and what authorizations are needed. They should also incorporate personnel who can assist with investigative steps like manual checks for web shells, along with any logging and monitoring opportunities for identifying these web shells, and any follow up actions on these devices, including where the connections are coming from.
Flaws in configuration can allow threat actors to bypass network segmentation and gain direct access to critical systems like domain controllers. The ReliaQuest Threat Research team has observed adversaries exploiting such unrestricted access for internal discovery, lateral movement, establishing persistence, and credential dumping. In some cases, we witnessed threat actors lying dormant to perform discovery within environments, collecting information on internal networks, valid accounts, accounts’ naming conventions, and available resources. We’ve also observed cases of credential dumping that have led to subsequent VPN access to newly compromised accounts even after remediation actions were applied to the account. The threat actor used this access to conduct further discovery and maintain persistence using techniques including masqueraded process, scheduled tasks, and service installations (including installing tools like Rclone for data exfiltration). Segmenting these networks and restricting the type of allowed traffic from these zones can help organizations minimize their attack surface post-access.
Implementing comprehensive logging measures is crucial in tracking external authentications, identifying compromised accounts, monitoring connected devices, and scrutinizing activities emanating from the VPN-assigned address. We have investigated cases in which threat actors targeted unmonitored hosts during initial access, leading to further unauthorized activities. For example, an adversary executed WinRM commands across various hosts monitored via logging and an EDR solution. While the victim promptly initiated containment and remediation actions, a device unmonitored by EDR and with no logs ingested facilitated additional malicious activities, including tool deployment within the network environment. It’s critical to extend monitoring and protection measures across all network assets and implement a thorough and all-encompassing monitoring strategy to secure the network post-access.
Newer architectures and frameworks like Zero Trust aim to further secure remote access by addressing some shortcomings of traditional VPNs. Yet, VPNs remain a staple service for organizations as they facilitate remote access, especially in the global landscape of modern, flexible business operations. Due to their public nature, continued popularity, and inherent vulnerabilities, VPN systems will likely see persistent threats until newer remote access methods are adopted.
ReliaQuest’s Digital Risk Protection capability offers continuous deep- and dark-web monitoring, including tracking information like leaked VPN credentials. Additionally, our Threat Research team follows developing threats to VPN solutions and engineers new detections based on known telemetry and observed techniques.
In addition to implementing detection rules and assessing attack surface, defenders can take the following steps to significantly enhance the resilience of their VPN systems against evolving threats.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.