[TheRecord] NSA, CISA publish guide for securing VPN servers

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published today technical guidance on properly securing VPN servers used by organizations to allow employees remote access to internal networks.

The NSA said it put together the nine-page guide [PDF] after “multiple nation-state advanced persistent threat (APT) actors” weaponized vulnerabilities in common VPN servers as a way to breach organizations.

“Exploitation of these CVEs [vulnerabilities] can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device,” the NSA said today in a press release announcing the guide’s publication.

“If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network,” the agency added.

For example, Chinese, Iranian, and Russian state-sponsored groups have been spotted abusing vulnerabilities in Pulse Secure and Fortinet VPNs in campaigns that have taken place between 2019 and 2021.

Ransomware gangs such as Conti, Ryuk, REvil, DoppelPaymer, LockBit, and several others have also been spotted using VPN servers as their entry points into organizations before escalating access to internal networks and launching their file-encrypting attacks. Furthermore, cryptomining botnets have also abused VPN servers as a way to enter corporate networks and then compromise internal systems with hidden cryptocurrency mining software that exhausts computing resources for the attackers’ financial profits.

“Exploiting remote access VPNs can become a gateway to large-scale compromise,” Rob Joyce, Director of Cybersecurity at NSA, told The Record.

“We created guidance to help organizations understand what to look for when choosing VPNs and how to configure them to reduce the risk of being exploited. Use these recommendations to verify any VPNs are securely configured.”

VPN servers are entry points into protected networks, making them attractive targets. APT actors have and will exploit VPNs – the latest guidance from NSA and @CISAgov can help shrink your attack surface. Invest in your own protection! https://t.co/npBc8Sh9A4

— Rob Joyce (@NSA_CSDirector) September 28, 2021

The guide, which is expected to receive updates in the future as new issues and recommendations are discovered, contains advice on the following topics:

Considerations for selecting remote access VPNsDirections on configuring strong cryptography and authentication Advice on reducing the VPN’s attack surface by running only strictly necessary features Guidance on protecting and monitoring access to and from the VPN

Today’s guidance release comes after the two agencies also released another joint guide on hardening the security of Kubernetes clusters last month, in August 2021.

The post NSA, CISA publish guide for securing VPN servers appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2020-12-22

Kyberturvallisuuskeskuksen uusi julkaisu: Opas tietomurtojen havaitsemiseen www.kyberturvallisuuskeskus.fi/fi/julkaisut/opas-tietomurtojen-havaitsemiseen Tässä ohjeessa keskitytään erityisesti tietomurron havaitsemiseen lokitietojen avulla. Esimerkkeinä käytetään Windows Event Log – -­tapahtumalokeja tai muita Windows-­käyttöjärjestelmän lokitapahtumia. Valittuja esimerkkitapahtumia on havaittu tutkituissa tietomurroista tunkeutujien jäljiltä. PDF: www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/Opas-tietomurtojen-havaitsemiseen.pdf SolarWinds hackers breached US Treasury officials’ email accounts www.bleepingcomputer.com/news/security/solarwinds-hackers-breached-us-treasury-officials-email-accounts/ US Senator Ron Wyden said that dozens of US Treasury […]

Read More

[SecurityWeek] Google Acquires Siemplify in Ambitious Cybersecurity Push

All posts, Security Week

Google has expanded its push into the lucrative cybersecurity business with a new deal to acquire Siemplify, a late-state Israeli startup selling SOAR (security orchestration, automation and response) technology. Financial terms of the transaction were not released but reports out of Israel peg the price tag in the range of $500 million. read more Source: […]

Read More

[SecurityWeek] Microsoft Teams Exploits Earn Hackers $450,000 at Pwn2Own 2022

All posts, Security Week

Vulnerability researchers earned a total of $800,000 on the first day of the Pwn2Own Vancouver 2022 hacking contest, including $450,000 for exploits targeting Microsoft Teams. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.