VPN with a trick: what security providers are silent about

Friend

Professional
Messages
2,672
Reaction score
921
Points
113
Hackers have found unexpected ways to compromise the network infrastructure.

In recent years, the protection of VPN servers has become one of the main topics in the world of cybersecurity. A series of critical vulnerability detections and their active exploitation by intruders caused a real panic among administrators and users. However, the problem is far from new: VPN servers have long attracted the attention of hackers due to their availability from the Internet and lack of security.

Attackers traditionally exploit VPN vulnerabilities to break into internal networks, using compromised servers as a springboard for further attacks. However, some experts wonder: should we limit ourselves to just this scenario? The study showed that a compromised VPN server can provide hackers with much more opportunities.

One of the most common methods of exploiting a compromised VPN is to install malware on the device's operating system. This allows a hacker to fully control the server: intercept confidential information, manipulate logs to hide their activity, and change system configurations to preserve access. However, the development and maintenance of such tools requires significant resources, which makes this method available mainly to state-level hackers.

An alternative approach to operating VPN servers may be simpler and more cost-effective. Instead of installing malware on the device, attackers can use the capabilities of the VPN itself by accessing its management interface. Such access can be obtained through authentication bypass vulnerabilities, weak passwords, or phishing attacks.

Research conducted by Akamai has identified several ways to exploit leading VPN servers, such as Ivanti Connect Secure and FortiGate, which can compromise the entire network. Among the most dangerous methods are intercepting the credentials of external authentication servers, such as LDAP and RADIUS, and using this data to gain access to other resources on the network.

Special attention is paid to the vulnerability of VPN servers that use LDAP for authentication. In some configurations, credentials are transmitted in clear text, which allows attackers to easily intercept them and use them for further attacks. However, even the use of secure protocols can be compromised if a hacker controls the VPN and is able to change the settings back to insecure ones.

Another dangerous method is to register a fake authentication server, which allows hackers to intercept the credentials entered by users when logging in. This approach can be implemented on both FortiGate and Ivanti, making it versatile and highly efficient.

In addition, the study revealed serious problems with the security of VPN configuration files. These files can contain a variety of secret data, including passwords and encryption keys, which are often stored in an encrypted but decryptable form. Especially vulnerable are FortiGate and Ivanti, which use static encryption keys, which allows attackers to decrypt data when accessing configuration files.

Given the identified vulnerabilities, experts recommend adhering to the Zero Trust Network Access (ZTNA) principles, limiting the rights of service accounts, using separate identifiers for VPN authentication, and carefully monitoring device configuration changes. These measures will help significantly reduce the risks associated with the operation of VPN servers and prevent possible attacks.

In conclusion, the threat to the security of VPN servers is real, and administrators should prepare for possible attacks in advance, taking preventive measures to protect their networks.

Source
 
Top