Remote Access VPNs Have Ransomware on Their Hands

Another day and, unfortunately, another cyberattack accidentally introduced by VPN.

According to a Computer Weekly article, Travelex was hit by Sodinokibi ransomware, which disabled the foreign exchange company’s IT systems on New Year’s Eve. The attack was made possible when the company forgot to patch its Pulse Secure VPN servers. 

Sadly, these reports are becoming common as VPNs are now the favorite target of cybercriminals.
 

Antiquated leads to attacked

When remote access VPNs were first introduced 30 years ago, they were pretty awesome. Remote access from anywhere was a concept that was forward-thinking and game-changing. But VPNs were created during a time when most apps were running in the data center, which could easily be secured with a bunch of network security appliances.

However, the world has changed as internal apps have moved to the cloud. You have to deliver a great experience, which is what users expect, with the knowledge that 98 percent of security attacks stem from the internet.

Remote access VPNs require servers to be exposed to the internet and users to be placed onto the corporate network through static tunnels that drive holes through firewalls. Now the very same technology built to protect businesses has left them vulnerable to modern malware and ransomware attacks. 

So how exactly does this happen?
 

Footprint of a malware attack

Just this past week, Medium.com published an article describing how Sodinokibi ransomware gets introduced via a VPN. Let’s take a high-level look at the typical process for how malware is introduced to a network through a VPN vulnerability:
 

1. Cybercriminals scan the internet for unpatched remote access VPN servers.
2. Remote access to the network is achieved (without valid usernames or passwords).
3. Attackers view logs and cached passwords in plain text.
4. Domain admin access is gained.
5. Lateral movement takes place across the entire network.
6. Multifactor authentication (MFA) and endpoint security are disabled.
7. Ransomware (ex. Sodinokibi) is pushed to network systems.
8. The company is held up for ransom.

Negative impacts of VPN

Many organizations still feel that remote-access VPNs are necessary. And, in some cases, they may very well be. But, more often, VPNs are opening the network to the internet and, as a result, the business to increased risk. 
 

• Patching is often slow or forgotten – Remembering, and even finding time to patch VPN servers, is plain difficult. Teams are asked to do more with less, often creating a human challenge that leads to security vulnerabilities.  

• Placing users on the network – Perhaps the genesis of all the issues related to remote-access VPNs. For VPNs to work, networks must be discoverable. This exposure opens the organization to attack.

• Lateral risk at exponential scale – Once on the network, malware can spread laterally, despite efforts to perform network segmentation (which is a complex process in itself). As mentioned above, this can also lead to the takedown of other security technologies, such as MFA and endpoint security.

• The business’ reputation – Your customers trust that you will protect their information and provide the best level of service to them. To do this, businesses must be able to protect themselves. News of a ransomware attack has a detrimental impact on your brand reputation.

Making the case for a new approach

The negative impacts of VPN have led to a search for an alternative solution. Gartner says that this buzz has created a world where, “By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of zero trust network access (ZTNA).”

If you are considering alternative methods, such as ZTNA, keep these points in mind when positioning it to your executives:
 

• Minimize business risk – ZTNA allows for access to specific business applications (based on policy) without the need for network access. Also, there is no infrastructure ever exposed, so ZTNA removes the visibility of apps and services on the internet.

• Reduce costs – ZTNA can often be fully cloud-delivered as a service, which means there are no servers to purchase, patch, or manage. This is not limited to just the VPN server. The entire VPN inbound gateway can now be smaller or fully removed (external firewall, DDoS, VPN, internal firewall, load balancer, etc.).

• Deliver a better user experience – Given the increased availability of cloud ZTNA services when compared to limited VPN inbound appliance gateways, remote users are provided with a faster and more seamless access experience regardless of application, device or location.

NOTE: Not all ZTNA solutions are the same. Beware of vendors that call themselves “zero trust” but offer solutions that continue to place users on the network and expose business apps to the internet.
 

If you’re looking to replace your remote access VPN, you might find this page helpful. In the meantime, don’t forget to patch your VPN servers and be sure to stay one step ahead of attacks by checking out these must-explore resources: 
 

• Three Ways ZTNA Protects Against Ransomware
   
• Uncover Areas of Network Exposure with Zscaler Internet Attack Surface Analysis Tool.

Christopher Hines is the Head of Product Marketing for Zscaler Private Access and Z App.