House of Cards: Your Guide to Getting Hacked Using VPNs
How Your Decision for Enabling Secure Remote Access Can Get You Hacked
Did you know that Virtual Private Networks (VPNs) are now dead and the rest of the world has moved to Software Defined Perimeter (SDP) solutions for secure remote access? So why are you still using a VPN?
Twenty-two years ago, I published the first vulnerability to Bugtraq on hacking VPN appliances by a company called RapidStream at the time, who hard-coded the root password into the SSH binary, giving you a root shell on their VPN appliances. One year later, I published another advisory on how to circumvent VPNet appliances from the internet into the VPN-protected internal network.
Since that time, a total of 564 vulnerabilities have been registered in the CVE database at MITRE. Worse yet, three days ago, as of this post, Viasat was compromised through their VPN and Quickfox was found to be leaking 1 million user records from its VPN. In September of last year, Fortinet made the news when a hacker named Orange breached the Fortinet VPN service, which contained the logins for nearly half a million users and the IP addresses of almost 13,000 devices.
So why are people still using VPNs?
CISOs and CTOs are doing the mass exodus away from VPNs, but what solutions are they going towards instead?
Software Defined Perimeters
The continued explosion of zero trust, specifically zero trust network access (ZTNA) has created a new market of technology defined as software defined perimeter (SDP) solutions that have largely replaced VPNs. Coupling software defined microsegmentation that enables an organization to move away from flat networks to secure enclaves of systems and secure remote access leaves little reason for public discourse. It simply works and adopts a true zero trust framework where users, devices, and the data aren’t trusted; meeting the tenets of authentication and authorization. Simply being an employee or having a company-issued device doesn’t automatically grant you access to a system or its data.
SDP also finally makes segmenting large, pre-existing networks possible. Whereas historically, network administrators had to do segmentation at the switch level using pages and pages of VLAN access control lists (VACLs) or firewall rules, SDP enables administrators to implement SDP using software eliminating flat networks. The importance of this can only be told through the lens of numerous breaches, such as the infamous Target breach where the HVAC systems were on the same network segment as their point of sale (PoS) systems giving hackers the ability to deploy malware onto the PoS systems and capture credit card information for every transaction. SDP would have enabled Target to move its PoS systems into a secure enclave that could only be accessed by the systems and users that needed access to it.
The biggest threat to organizations using VPNs is account takeover (ATO) as a result of password dumps or a user being phished, especially when MFA hasn’t been coupled with the VPN. SDP solutions enable users to require MFA for every login as well as completely eliminate passwords.
Elimination of Exposed Services
Many solutions on the market expose the administrative interface to their solution, creating another attack vector using the VPN itself. If this login were to be successfully brute-forced or worse yet, guessed because the default login and password set by the vendor wasn’t changed, the solution itself can be used to compromise the network.
Maybe it’s because VPNs have become so ubiquitous today that they are still being used. I can’t think of another cybersecurity solution in the market that is still being used 22 years later despite a history of vulnerabilities and empirical data that points to breaches when a newer, faster, and more secure technology has replaced it. But for some reason, “we just love us some VPN.”
Perhaps it’s an “if it ain’t broke, don’t fix it” mindset where administrators just don’t want to replace their VPNs with something newer. Or maybe because VPNs are often offered for nearly free by their firewall vendor who has coupled their firewall technology with VPN technology. Still, I suppose the old adage “you pay for what you get” applies perfectly here in those cases.
But if a lot of what I’ve said here in this article is news to you and you’re wanting to quickly join the crowd running away from VPNs, read my white paper I recently published, In The Valley of Kings: The Rise of SDP and Fall of VPNs, which this article is largely based on, and download a free 90-day trial of BlastWave’s SDP solution here.
CVE - CVE. (n.d.). CVE at MITRE. Retrieved April 3, 2022, from https://cve.mitre.org
Stack, T. (2022, March 31). “Misconfigured” VPN used to breach Viasat satellite network, malicious commands wiped modems. The Stack. Retrieved April 3, 2022, from https://thestack.technology/viasat-attack-caused-by-misconfigured-vpn/
Bracken, B. (2021, October 20). VPN Exposes Data for 1M Users, Leading to Researcher Questioning. Threatpost. Retrieved April 3, 2022, from https://threatpost.com/vpn-exposes-data-1m/175612/
Today, I want to talk about persistent threats. By now, I'm assuming that most of you have either heard about the recent persistent threat attacks - one being the sunburst attack on solar winds, secondarily the happening of attack on Microsoft exchange, or perhaps unfortunately your organization has been a part of those as a victim. As a result of all of those attacks, we've seen a tremendous amount of noise from the cybersecurity community, talking about strategies for prevention, mitigation, etc.
But the real question is, is anyone really doing anything to attempt to create a line of defense against these attacks? And at BlastWave, we would argue that for the most part, they're not. Yesterday, a colleague of mine, Paul Gracie put out an article. It was a short cheeky article entitled, “Is it just me or does the emperor have no clothes?”
If you want to read it, let me give you the link. Hold on. That's not the link here. It is. So this is the QR link. So you can just snap a picture of this with your phone and you should be able to connect to it. But as I said, it's a short article. It was a little bit cheeky and effectively. What it did is it kind of called out the establishment cybersecurity vendors on the fact that they're selling you security products that aren't actually securing your network.
It called out some burning problems that we have in the cybersecurity space today. And specifically around the questions of, are we creating this first line of defense and specifically beyond that in the event that someone may be able to penetrate your network and get on the inside. Do we have anything to mitigate the impact of those?
And so I want to walk through this and I'm going to use a combination of a PowerPoint and some information off the web to go through the disk. So let's begin by taking a look at how our networks are protected today, and this is going to be familiar probably to everyone. So it's usually a combination of three technologies in the wide area network.
You're leveraging some type of SSL, VPN technology. So a virtual private network at the remote client, you're using hopefully some type of multi-factor authentication that is hopefully passwordless. To be able to protect your client's identity, and then within your local area network, where your protected systems and applications lie, you attempt to protect those through access control and segmentation.
And so if we look at that, we begin to ask the question, well, are these networks, and are these technologies that are designed to protect our critical systems today, are they actually doing what they're supposed to do to protect them? Well, Let's take a look at the statistics. So let's go and let's start with an interesting stat.
So this year we, as a globe, a global economy spent $25 billion in VPN. It looks like it's going to be all $76B by 2027. So we know we are continuing to invest in this technology. If we look at the leading vendors in this space, and we're not gonna mention any names, but you could see them. Number one, number two.
Number three and this may change, but in general, over time, they're all kind of the same list of vendors. If we were to look at them and ask ourselves, well, how secure are these particular vendor solutions? Well, let's, we could look at number one, so we could go over to NIST and do a quick search on this particular vendor.
And we can see that right now, there are roughly 20 known vulnerabilities that range from pretty severe to maybe reasonably severe. And that's 20 doors of entry for a malicious actor. If we were to take that same approach and look at number two then if we look at their statistics, they're doing a little bit better less, but it looks like at least one, if not more of their vulnerabilities are highly critical.
So there are multiple paths of entry for, it would be actor as well. Then finally, if we look at number three, which is a very well-known name, and we look at theirs - 70. 70 known vulnerabilities from companies who are the leaders in providing virtual, private networking technology. Now, why do we care about this?
Well, we care because these vendors, these solutions that are supposed to be our first line of defense against these persistent threats are the very technologies that are being bypassed, being bypassed in many of these attacks. And so if we think about that, it makes sense. Right. And let's walk through this.
So if we're deploying VPN within our wide area network, then for the most part, we're using technology that's 20 years old, that as we've seen a moment ago, has hundreds of known vulnerabilities. And each time a vulnerability is reported, those vendors have to go and create a patch. That patch has to then be rolled out into their customer community and then be propagated across the customer's networks.
So in many cases it could be weeks or months before the door is closed effectively for malicious actors. Now, if we move over to the left and look at the remote user, I think we're, beginning to do a good job by applying multi-factor authentication. Hopefully most of those that are being leveraged now are passwordless, so that's good.
But many of them are single surface based, which means that you can steal something. You can steal a single thing, and once you've stolen that single thing, a key fob, etcetera, then now they can take that and pretend to be you anywhere else in the world. So they're usually highly vulnerable to theft, but more importantly, they're not policy-aware. And what we mean by that is that the devices that sit down here that perform the authentication process are largely unaware of what policies for access you might be granted or not granted.
And so by that fact, that puts them in a position where this network is kind of a set of disparate parts. They're not all one acting in unison. Now, when we get to your LAN most companies good old fashioned segmentation, right? So through access control lists, etc., they're segmenting the network.
It's a very time consuming process for network engineers. Usually it is well, not usually it is in fact, very prone to human error, more than 90% of all vulnerabilities and outages within networks today, come from human error. Somebody made a configuration change that caused either an outage or a gap and created an opportunity.
And so while it's a great attempt, these are really complicated, prone to human error. And so as a result, they're really vulnerable to insider threats. And if we take a look at these attacks, we can see that that's the case. So, we need to ask ourselves, why do we care about this? And in asking that we want to look at the behavior for how these persistent threats break into your network and there's no magic to it.
While they all may look unique in their approach, they all use a very common pattern. And the first portion of the pattern is reconnaissance. So effectively, what they want to do is they want to identify a system somewhere inside of your network that they can somehow connect to or get to, and then use that to match up a vulnerability doubt.
That may be a publicly known vulnerability as the list that we just went through a moment ago, or it might be a personal or a private vulnerability that they have discovered. But in either case, their goal is to find a system on the inside of your network, which leads to the next step, which is to create a piece of malicious code that they can then drop down into that system, that’s sitting inside your network.
Once the code's there then now, what do they want to do? Now they want to poke around. So they want to use the inherent vulnerabilities of your segmented LAN to scan around and find other systems that they can get to. And then once they've done that, they'll try to propagate or replicate that particular piece of code to another system.
And then finally, what they want to do is call back home, right? So connect back home for the purpose of creating a command and control channel for that malicious actor. And if we take a look at that, then there's really no magic. Right? They're coming into your network via one of a couple of methods.
They're either coming through your secure network or they're walking in the front door. And in most cases, it's through your secure network that they're using to get there. In the case of SolarWinds, if we look at that real quickly, SolarWinds was a perfect example of that.
Effectively, what they did is the malicious entity had a malicious payload. They had identified through surveillance and reconnaissance, a system that was vulnerable inside the SolarWinds build servers. So they dropped it down there and they simply let it use its own secure communication channels to be able to propagate that update across to their SolarWinds Orion instances that are sitting inside of the customer. From there, that instance replicated itself up to other systems and then created a command and control channel back home, using the security technologies that we spent 20 some odd billion dollars on this year or not using them effectively bypassing them.
In the case of the Hafnium attack, it was a very similar scenario. So in this case, they were able to identify a vulnerability that allowed them effectively to bypass the exchange authentication process. So they were able to connect into exchange. And then from there deliver a piece of malicious payload onto that. That allowed them to execute a script from there in an Alec web access and basically drag a bunch of exchange emails back into wherever their servers are and who knows what? I don't even think we know what yet, yet how much impact that's going to have.
So those technologies that were used to protect the network to create that first line of defense were exploited in both of these attacks. And I think many in the community would argue that as it pertains to advanced persistent threats, this is just the beginning. So we've got to create that line of defense.
And let's talk about that. I want to introduce you to BlastWave. BlastShield is our product. BlastShield is a software-defined private network overlay that can be deployed over any packet based network. When it's deployed, it renders your protected systems, applications mechanical systems and industrial settings, it could be sensors, etc. - it renders those systems invisible. So the network itself, the BlastShield network and all protected systems are effectively invisible. You can't scan it. You can't see it. You can't talk to it.
Remote user access into a BlastShield network is performed via a very convenient, but highly secure three surface multi-factor authentication process. And the reason that we use that model is it makes it immune to your common phishing exploits, but also reduces the risk of theft because of the requirement of multiple surfaces. And then more importantly, within that multi-factor authentication process, your users, access and visibility are bound to each other by policy.
This inhibits the ability for, let's say an actor pretending to be one of your remote users that connected into your network to now poke around because they can't see other systems, unless they're granted a specific access to this. BlastShield is built on a proprietary transport methodology that is immune to SSL, BP, and exploits. So all of those hundred plus exploits we just saw today, it is immune to those.
Effectively it delivers this encrypted edge to edge network that runs across the entirety from your edge user, into your application. And it's all manageable from a single policy orchestrator.
And so how does this relate to the attack vectors that we looked at before? Well, if you start with reconnaissance since this network and the assets that are protected behind it are invisible, then it makes it really difficult for reconnaissance to be performed because you can't identify those assets. And if you can't identify them, then it removes the ability for you to begin to identify what exploits might be associated with those assets, which really leads to the second step, which is in terms of weaponization and delivery.
If you can't find systems protected by that particular network, then it makes it really difficult for you to deliver those systems into a protected system or protected system. And so in terms of delivery, it really inhibits the malicious actor’s ability to get their payload down inside your network.
Now we all recognize we don't live in a perfect world. And so if in fact, a malicious payload is dropped into your network, this is where BlastShield’s ability to provide granular visibility bound to access control together, and inhibits the ability for a piece of code to move laterally. And so you can envision a scenario where in the event that maybe somebody walked through the door and dropped a piece of code onto a server. Well, if that server is protected behind a BlastShield network even if that code were dropped in via a USB stick or something like that, then it makes it really difficult for that malicious code to propagate because it can't scan, because it's scaning ability and its ability to connect to other systems is controlled by policy. So it can't see or connect. So it really inhibits that.
And then finally since BlastShield effectively creates this air gap around these assets, it's effectively air-gapping the malware as well. So that prevents the ability for it to beacon back to its home base and prevents the ability for command and control channels to be built.
So thank you for your time. I wanted to walk through this. As you can see, we are very serious about the subject of creating a first line of defense against these persistent threats. We would enjoy a conversation if you're interested in learning more, I'm going to put two links up real quickly.
First, this again is the link to Paul's article that he wrote. Along with that. If you want to speak to Paul live, this is a QR link to his LinkedIn profile. Additionally, you can reach us at www.blastwave.io, and we would love to have communication with you. Thank you for your time. I appreciate it.
Hey, welcome back. Again, I'm Tom Field with Information security Media Group. We are at RSA conference 2021 topic I'm speaking about in this segment is defending entry points. Really pleased to welcome to the studio Tom Sego is the founder and CEO of BlastWave Inc. Tom, thanks so much for taking time to speak with me.
Thanks again, Tom. It's good to see you.
So let's start our conversation here. In what ways do you now see security requirements getting so complex, that they're exceeding the capabilities of current protection solutions?
Yeah, I think in terms of the requirements, the requirements are kind of going like this, they're going kind of straight up. And the security protection solutions are almost flatline, there's very little innovation that's occurred in those, there's been a lot more focus around the detection and remediation areas. So if we look at the security requirements that are driving that, we're seeing like the device level, there's a lot of smart sensors for everything. We're also seeing at the data level 90% of the world's data has been created in the last two years. And then there's a lot going on at the network level. networks in devices and factories used to be air gapped and immune from network borne malware. But now while those can no longer function in a world in which everything is connected, the global supply chain industrial operations, everything needs to be connected, for remote access for people working from home. Furthermore, the corporate network used to be this castle moat situation. And now you have public cloud hybrid cloud on prem, and even the employees home as part of that corporate network now. And then there's this complexity around provisioning, and setting control access and almost an infinite number of combinations of human to application human to machine, machine to machine and machine to application. And the past, we could just tack up VPN client server solutions, but those days are gone. There's the VPN technology itself is 25 years old, and almost no innovations are occurring. The majority of VPN vendors also use the exact same SSL VPN stack, which makes it trivial for malicious actors to identify their products. In recent years, they tried to put together these SD LAN products Software Defined wide area networks in response to the dilemma. But if you peek under the hood, you see the same basic SSL VPN stack with the same old vulnerabilities and a new wrapper.
So Tom talked a little bit more about that. Where do you see some of the current protection technologies most obviously failing?
Yeah, well, really, there's no magic to this, whether it's carried out in applications data, mechanical industrial systems, attacks really only come through two sources, either physical or through the network. And statistically speaking, most of it comes through the network. In fact, there's an entire framework that describes is called the cyber Kill Chain. This is really important because it basically maps out the pattern that every attacker follows, to perpetrate whatever they're trying to do. And if you can interrupt or break that chain, you can make a huge impact on protecting your critical assets. So let me just kind of walk through a couple steps in this common pattern. First of all, malicious actors perform reconnaissance or recon try to scan and see what assets and vulnerabilities exist. From there, they try to gain access to the network through the weakest link. Typically, it's credential theft, phishing or using an SSL VPN exploit. Next, they perform internal reconnaissance to identify the high value asset servers and data within that land. And then they try to use the same secure connection to deliver a payload and establish the back door.
Tom Field 03:56
So Tom give us some context, what evidence do you see as some of the latest attacks that have been getting our attention and news is full of them?
Tom Sego 04:04
If you're not kidding, I think in the last two quarters, we've witnessed at least five major ones with one last week. Starting with the solar winds attack, which was the supply chain attack, state actors perform reconnaissance on the solar winds network. They then use compromised credentials to locate and gain access to the Orion build server. Then they use that same channel to deploy a payload that went to the update build. And then they simply let the server update itself to all of its customers. Once the malware was inside the customers network, it again scanned and moved laterally, and then created a control back channel for future nefarious capabilities. The next big one was the half name attack on Microsoft Exchange. And again, actors were able to get inside the secure network most likely through compromised credit. Then they performed recon to identify the Exchange servers. From there, there was a publicly known vulnerability that bypass the authentication process. And they downloaded a payload, ran a script, created a remote command control back channel and exfiltrated email database. The next one was the Oldsmar water treatment plant in Pinellas County, Florida. And they're a hacker performed, guess what reconnaissance to the plant to discover how best to gain remote access through the TeamViewer. app. They then obtained a set of compromised credentials to connect to the command console. Have you heard this before? That Yeah, and then the next last week, the colonial pipeline attack was really bad. It brought down 45% of the fuel supply on the east coast. And guess how they started, they perform recon, they gained network access through compromised credentials or through a VPN exploit. They perform lateral movement to do recon within the network, deploy a payload, establish a backdoor, etc. So most of what you described isn't particularly sophisticated, but I haven't met anyone yet that said, they fell victim to an unsophisticated attack. In what ways would you say our adversaries are upping their sophistication? Yeah, well, I think there's three trends that are enabling that sophistication. And the first is just around monetizing anonymously, the ability to get paid through cryptocurrency. I think the second though, is there's this blurring of lines between cyber criminal groups and state actors to conduct political espionage or cyber warfare. And cyber criminals are almost like a well paid some subcontractor for these state actors. And finally, there's these explosion of tools ransomware as a service, we'd never heard of that before. And today, kids can learn how to hack into networks simply by watching YouTube videos, and downloading kits running these things from the dark web or internet. So really, there's kind of never been a better time to be a cyber criminal. It's easier and cheaper than ever. And plus, it's hard to get caught. Because attribution is really tricky in cyberspace, much more so than in the real world.
Well, good news is that there's job security and cyber security. So what new approach Do we need to take now to defending these entry points to the network?
Yeah, now we're getting down to the most important part in terms of what do we do about it? Well, I think we fundamentally need to rethink network security. We can't just secure networks by cobbling together these disparate tools and widgets, such as VPN segmentation policies, firewall rules, and hope to secure our assets. This is a game of whack a mole that the industry stuck in. So in order to create a dramatically more secure protective solution, it must be engineered from the ground up to eliminate massive classes of vulnerabilities. So we've got to break that cyber Kill Chain I talked about. So let me give you some specifics. So number one, we have to stop both external and internal reconnaissance by making those networks invisible and unresponsive to network scanning. Number 290 percent of network access as a result of phishing or credential theft, we need a better identity mechanism, this 50 year old approach of usernames and passwords, we need to get rid of them all together, so there's nothing to steal. Number three, we need to ensure that the connection is truly edge to edge. And it's impenetrable by combining remote user authentication when encryption land protection into a single layer, so you can't sniff the VPN tunnel, you can't use an SSL VPN exploit, you eliminate lateral movement within the land by binding access and visibility through policy. Number four, make it easy to deploy, provision and configure. Number five make it easy to use without requiring extensive training or changes to the network underlay. This takes a huge burden off the network team as segmentation and access control changes are massively time consuming, and fraught with human error. And the last thing I would do is make the product very lightweight and software base so you could effectively run it anywhere. And that's our team's vision for network protection in the modern world.
Well, that's exactly what I asked you about. Talk to me about BlastWave. How are you addressing these issues we've just talked about?
Well, everything I just described to you are the pillars of our flagship product blast shield, so deploys over any packet based network. It's built on self organizing patented peer to peer architecture and it deploys in minutes. Once it's deployed. Blast shield is itself invisible and renders your critical system and applications invisible to both outsiders and insiders. You can't do reconnaissance if you can't see it. The icing on the cake for my 10 years at Apple in terms of making things easy to use is to make remote access Dirt simple and use a multi factor authentication process that's similar to Apple Pay. And then lastly, you put the entire network provisioning and management console in an orchestrator that's hosted within the blashill network. So there's no exposed web services. And this last points a very big deal and a high point of differentiation because if you look at the specific CV ease for existing VPN vendors, a large portion of the vendors and vulnerabilities are in the web services, and we eliminate this entire class and greatly reduced the surface of the process.
Tom Field 10:41
Well said, Tom, I appreciate your time today. Thanks so much for taking time to speak with me and to shed some light on blast play.
Thank you, Tom.
You've just heard about defending entry points you've heard from Tom Sego. He is the founder and CEO of BlastWave Inc., for Information Security Media Group at RSA conference 2021 I’m Tom Field, and as always, I'm grateful you gave us your time and attention. Thank you so much.
Thank you, Tom.