The NSA advisory
concerns the exploit of multiple vulnerabilities in Virtual Private Network (VPN) applications. As is often the case, these official government warnings come when vulnerabilities that have been known about for some time have, despite fixes being available, ongoing exploits causing concern. Indeed, according to the NCSC alert
, the vulnerabilities are well documented in open source, and the exploit activity is continuing with international targets across academic, business, government, healthcare and military sectors.
Commenting on this, Tim Mackey, Principal Security Strategist at SynopsysCyRC (Cybersecurity Research Center), said “Most remote workers are familiar with a key requirement to access corporate systems – the ubiquitous VPN client or VPN software. VPN software is used by most businesses to provide a connection to services secured on internal networks to their employees who require access from public networks. The software works by bridging the network on the client device, be it a desktop, laptop or tablet, to the internal network. Access occurs over an encrypted network connection which in theory ensures that sensitive corporate information isn’t visible to other users on the public network and is only accessed by authorised individuals. VPN software is of course a software application, and it needs to be secured just like any other software – so what happens when it isn’t?
This is precisely the scenario outlined in the advisory from the US NSA and the UK NCSC issued on October 7 following up on an advisory from the Canadian Center for Cyber Security in August based on research disclosed at the annual Black Hat and DEFCON conferences in August. In their talks at Black Hat, the researchers from DEVCORE outlined a serious of exploits in popular VPN software from multiple vendors. In each of the scenarios covered, the researchers followed responsible disclosure practices and worked with the VPN vendors to ensure patches were created. So if patches are available, why is the NSA issuing a bulleting almost two months later?
Whenever new research is published showing a potential exploit, that exploit will eventually form part of a toolkit used by malicious actors. In this case the NSA is calling out that a class of attack known as an Advanced Persistent Threat, or APT, has been created to take advantage of the vulnerabilities disclosed. An APT relies on the reality that inevitably someone won’t have patched their system and then can be exploited. The easy answer then becomes to patch, but this time it’s more complicated. Given the nature of the vulnerabilities, it’s entirely possible that a successful exploit has occurred with at least one user of an impacted system. Proper patching in this context requires both a reset of any access credentials and potentially a reset of any access tokens used by users for cloud services. The credential reset must occur after the patch has been applied as any reset prior to the patch could enable the attackers to collect the updated credentials. It’s also worth noting that the researchers were able to demonstrate a bypass of a 2FA solution meaning that organisations who are delaying rollout of patches believing that their MFA solution mitigates the attack vector may be at greater risk. The last part of the remediation is to perform a forensic analysis to ensure that no infection occurred and that systems are configured as expected.