VPN Attacks Surged in First Quarter

Attacks against virtual private network (VPN) products from Fortinet and Pulse Secure surged dramatically in the first quarter of 2021 as threats actors tried to take advantage of previously disclosed vulnerabilities that organizations had not patched.

Log data collected by Nuspire from thousands of devices at customer locations show attacks against Fortinet's SSL-VPN increased 1,916% from the beginning of the quarter as threat actors tried to exploit a path traversal vulnerability in the technology (CVE-2018-13379) that could allow unauthenticated attackers to download files. Attacks targeting Pulse Connect Secure VPNs, meanwhile, jumped 1,527% during the same period as adversaries went after an arbitrary file disclosure vulnerability in the product (CVE-2019-11510) with a maximum possibility severity rating of 10.

Both vendors issued patches for the flaws in their respective products a long time ago, and security analysts have for some time been warning of high adversary interest in the vulnerabilities. As far back as January 2020, for example, Tenable had warned of threat actors leveraging the Pulse Connect Secure flaw to distribute the Sodinokibi ransomware strain. In April, the NSA, FBI, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) identified Russia's Foreign Intelligence Service (SVR) as targeting the Fortinet and Pulse Secure VPN flaws in attacks against US and allied networks.

Jerry Nguyen, director of threat intelligence and rapid response at Nuspire, says the large spike in activity targeting VPN devices in Q1 2021 had to do with organizations not patching these vulnerabilities despite previous warnings.

"The US CIRT released a number of reminder alerts that attackers were looking at these VPNs and people should patch," Nguyen says. "The biggest thing we are seeing with VPNs [is that] everyone is looking at the endpoint and not the perimeter when they need to look at both."

Other vendors, such as Digital Shadows, have reported a similar heightened attacker interest in VPNs, especially after the COVID-19 outbreak and the subsequent shift to a more distributed work environment. One reason for the interest is the broad access that a compromised VPN appliance can provide an attacker, analysts have noted.

Read the rest of this article on DarkReading.