VPN hacks can be lethal, warns security expert

Many organisations implement virtual private network (VPN) access to improve the security of remote connections, but there are associated risks that should not be overlooked.

Although not as well known as ransomware attacks, VPN hacks are often part of highly targeted cyber attacks, according to Ofer Shezaf, director of cyber security at Varonis Systems.

“We seldom learn the technical means used in such attacks, but the attack on the power supply in Ukraine in December 2015 is a good example of how lethal those attacks can be,” he told Computer Weekly.

To access the system to shut down the circuit breakers at a substation, Shezaf said the attackers stole credentials and penetrated the system through the VPN using a hijacked account.

Other examples of VPN abuse, he said, include the 2014 case in which a system administrator at Georgia Pacific, a large US paper manufacturer, was fired and used VPN remote access to destroy manufacturing equipment.

The RSA breach is yet another example, in which hackers stole the private key used to generate all of RSA’s Secure IDs to penetrate organisations that used Secure ID through their VPN, most notably stealing confidential information from a major defence contractor.

The best-practice approach to mitigating VPN hacking, according to Shezaf, is two-factor authentication (2FA). Where 2FA is implemented, the user is required to present something else besides a password to authenticate.

The most commonly used additional factor for 2FA is a text message, and others are one-time code apps or devices and biometric means such as a fingerprint or face recognition

2FA is important and reduces risk, said Shezaf, but added that it is “not a bulletproof solution”. Because text messages are often used for 2FA, getting access to someone’s phone is an easy way to bypass 2FA, he warned. More sophisticated hackers took advantage of a well-known weakness in SS7, the signaling protocol for phone networks to get access to 2FA authentication text messages.

“As the RSA incident shows, bypassing 2FA is possible not only for texting-based 2FA, and so while 2FA works well against random, low-cost attacks, sophisticated hackers performing targeted attackers find ways around it,” he said.

The other issue with 2FA is that it cannot be universally used because it can be difficult or impossible use, said Shezaf. “For example, it is difficult to weave 2FA into an authentication sequence if you are driving and it is impossible to access a website that relies on limited life text access codes if the code is sent while you were on a flight,” he said.

As a result, many interfaces allow some sort of authentication without 2FA, but hackers can use this to their advantage, Shezaf said.

“The assumption today is that breaches will happen, but must be detected, quarantined and mitigated as fast as possible. To augment traditional VPN security and 2FA, we need to employ analytics to detect attacks,” he said.

For example, to outsmart an attacker compromising a VPN, analytics could be used to block two consecutive logins for the same user from locations hundreds or thousands of miles apart or to detect brute force attacks or access attempts from known bad sources.

“Machine learning can help you to understand how various users normally use a VPN, analysing where and when they normally connect, what internal resources they use when outside, and how much data they usually transfer,” said Shezaf.

“Advanced analytics would combine VPN data with data from other sources to ensure more accurate and context-aware detection. Working from an unexpected remote location is much more suspicious if the user did not log in recently. Likewise, an abnormal amount of data transfer through a VPN connection is more alarming if the user also touched sensitive or stale data at the same time,” he said.

This lesson could be to other remote access methods such as remote desktop protocol (RDP) and cloud, said Shezaf.

“The use of VPN is on the decline as organisations adopt a perimeter-less architecture, utilising more and more cloud services. However, the same challenges and solutions apply to cloud services,” he said.

“Authentication is once again a weakness, 2FA provides an answer, but it has shortcomings. The same analytics used to detect malicious VPN activity can be used to detect malicious cloud access.”

RDP, developed by Microsoft, is increasingly serving as a simple VPN. “Since it is more common than any specific VPN product, it has become a frequent target for malware,” said Shezaf.

“In recent months, RDP is challenging drive-by-download as the top infection vector for ransomware. Extending VPN analytics to RDP could serve as an excellent safety control for those attacks,” he said.

Shezaf will discuss this topic in more detail at Infosecurity Europe 2018 in London on 6 June during his presentation entitled: Anatomy of VPN Hacks: Is 2FA Enough?