CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Targeting Remote Workers

Share this article on:

In an effort to prevent the spread of the coronavirus, many employers are telling their employees to work from home. While this measure is important for reducing the risk of contracting Coronavirus Disease 2019 (COVID-19), working from home introduces other risks.

In order to protect against cyberattacks, enterprise-class virtual private networks (VPN) solutions should be used to connect remotely to the network. VPNs secure the connection between a user’s device and the network, allowing them to access and share healthcare information securely.

While VPNs will improve security, many VPN solutions have vulnerabilities that can be exploited by cybercriminals. If those vulnerabilities are exploited, sensitive data can be intercepted, and an attacker could even take control of affected systems. Cybercriminals are actively searching for vulnerabilities in VPNs to exploit, and the increase in remote workers as a result of the coronavirus gives them many more targets to attack.

The risks associates with VPNs and the increase in the number of remote workers due to the coronavirus has prompted the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) to issue an alert advising organizations to increase VPN security and adopt cybersecurity best practices to protect against cyberattacks.

Several vulnerabilities have been discovered in popular VPN solutions in the past 12 months, including VPN applications from Palo Alto Networks, Pulse Secure, and FortiGuard. While patches have been released to address the vulnerabilities, many organizations have not updated their software to the latest version. The failure to patch negates the protection provided by the VPN.

A campaign was detected in January 2020 targeting the CVE-2019-11510 remote code execution vulnerability in Pulse Secure Connect and Pulse Policy Secure to deliver REvil ransomware. By exploiting the vulnerability, an attacker could potentially gain access to all active users and obtain their credentials in plaintext and execute arbitrary commands on VPN clients as they connect to the server. A patch to correct the vulnerability was released by Pulse Secure on April 24, 2019, yet 9 months later, many organizations are still using vulnerable versions of the VPN.

Updating VPNs can be difficult because they are often in use 24/7; however, it is essential that updates are applied due to the high risk of exploitation of unpatched vulnerabilities. CISA is urging all organizations to ensure that VPN patches are prioritized.

It is also important to make sure that users only have access to systems that are critical to perform their work duties. Ensuring remote workers have low level privileges will reduce the harm that can be caused if their credentials are compromised. IT teams should also step up monitoring of their networks and should be reviewing access logs to identify potential compromises.

CISA has also warned about an increase in phishing attacks targeting remote workers to obtain VPN credentials. Email security solutions need to be in place to capture these messages before they are delivered, and multifactor authentication should be implemented for remote access to prevent stolen credentials from being used. CISA warns that organizations that fail to implement MFA will be at greater risk from phishing attacks.

IT teams also need to make sure their systems can cope with the increased number of remote workers. CISA warns that organizations may find they only have a limited number of VPN connections, and when they are all in use some users will be prevented from accessing systems to conduct telework. “With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks,” warns CISA.

The HHS’ Centers for Medicare and Medicaid Services (CMS) has expanded Medicare telehealth benefits to help in the fight against the COVID-19 and the HHS’ Office for Civil Rights has announced it will be exercising enforcement discretion in relation to telehealth. This will allow more healthcare workers to work remotely over the coming weeks. It is therefore critical that VPN best practices are followed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On