Over the last 12 months, we’ve seen a significant uptick in attacks against firewalls and virtual private networks (VPNs). In a recent report from Zscaler, researchers noted that 50% of organizations surveyed experienced one or more VPN-related cyberattacks. Moreover, 91% of respondents were concerned about VPNs being part of the attack chain in compromising enterprise IT and security. Earlier research from Cisco Talos supports this as well. Talos researchers found recently that Cisco’s Secure Firewall VPN and VPN services from Fortinet, SonicWall, and others, were all part of attack campaigns.
As critical components of an organization’s defense, these attacks should be major signal to security teams that they need to review their current security defenses. Let’s explore why this is happening, who’s behind it, and most importantly, what you can do to protect your enterprise.
Vulnerabilities Under Fire: A Shift in Attack Strategy
We’re witnessing a disturbing trend: attackers are increasingly setting their sights on the very security tools designed to protect organizations. Firewalls and VPNs, once considered the guardians of the network perimeter, are now prime targets for exploitation. This shift in strategy represents a significant escalation in the threat landscape.
Here’s how this new attack vector plays out:
- The Gateway to the Kingdom: By compromising firewalls or VPNs, attackers gain a foothold within the network. This often gives them unfettered access to sensitive internal systems and data, which they may not have been able to reach directly.
- Zeroing in on Zero-Days: Threat actors are actively seeking out zero-day vulnerabilities in firewalls and VPNs – flaws unknown to vendors and for which no patches exist. This gives them a significant advantage, as organizations have no time to react before an attack occurs.
- Exploiting the Familiar: Even known vulnerabilities in older, unpatched firewalls and VPNs can be exploited with devastating consequences. These legacy systems become low-hanging fruit for attackers.
- Supply Chain Sabotage: The software supply chain has become a weaponized battleground. Compromised updates or third-party components within firewalls and VPNs create hidden backdoors for attackers.
Furthermore, many firewalls and VPNs are older. These outdated firewalls and VPNs, with known vulnerabilities, remain easy entry points. Additionally, like with any system, misconfigurations can open up networks to attackers.
The Wide-Reaching Impact
When security tools are compromised, the damage is often amplified:
- Trusted Access: A breached firewall or VPN can give attackers legitimate-looking credentials, making their activity harder to detect.
- Lateral Movement: Once inside, attackers can easily move laterally across the network, accessing sensitive data or planting malware.
- Defense Down: The very tools meant to detect and block threats are turned against the organization, rendering them blind and vulnerable.
- Prolonged Impact: It can take considerable time and resources to fully investigate and remediate a compromised security tool.
The industries most heavily impacted by firewall and VPN attacks include:
- Healthcare: Patient data confidentiality and medical system uptime are under constant threat.
- Finance: Sensitive financial information and transactions are highly attractive targets.
- Critical infrastructure: Attacks can disrupt essential services for entire populations.
- Government: State secrets and confidential information are a prime target for espionage.
- Technology: These companies often store valuable intellectual property and customer data.
No industry is immune, and the consequences are far-reaching: data exfiltration, system disruption, reputational damage, and regulatory fines. This shift in threat actors’ attack strategy highlights the critical need for organizations to adopt a more proactive and layered approach to security.
The Usual Suspects
Numerous threat actors have demonstrated a keen interest in exploiting firewall and VPN vulnerabilities. Here are some notable examples, categorized by their motivations and affiliations:
Nation-State Actors:
- APT Groups (Advanced Persistent Threat): These state-sponsored groups, often associated with China, Russia, Iran, and North Korea, are known for their sophisticated attacks aimed at espionage, intellectual property theft, and disruption of critical infrastructure.
For example, nation-state actors targeted the MITRE Corporation in April 2024, exploiting Ivanti VPN zero-days for espionage purposes.
Cybercriminal Groups:
- Ransomware Gangs: Groups like Conti, REvil, and LockBit have exploited VPN vulnerabilities to gain initial access to corporate networks, leading to devastating ransomware attacks.
For example, in 2020, REvil targeted Pulse Secure VPNs as an entry point into major organizations for its ransomware operations.
Other Threat Actors:
- Hacktivist Groups: These groups may target firewalls and VPNs for ideological reasons, seeking to expose vulnerabilities or disrupt operations.
- Opportunistic Attackers: These actors may not have specific targets or be very sophisticated, but they can exploit known vulnerabilities to gain access and potentially sell that access to others.
As regions around the world continue to see political, social, and economic instability, hacktivists have resurfaced as a threat group to keep eyes on.
It’s important to note that the threat landscape is constantly evolving, with new actors emerging and existing ones adapting their tactics. Attribution of attacks can also be challenging, as actors often use obfuscation techniques to mask their identities.
Protection Strategies: Best Practices
While it can seem impossible that defenders can stay ahead of attackers, especially when they exploit the very tools defenders use to protect enterprises, proactive measures can help organizations reduce their risk and provide the visibility they need to act quickly when something is found. These proactive measures include:
- Patch diligently: Install security updates for your firewalls, VPNs, and endpoint devices as soon as they’re available.
- Harden configurations: Review and restrict firewall rulesets. Use the principle of least privilege.
- Segment your network: Break down your network into zones to limit the blast radius of breaches.
- Implement MFA: Use multi-factor authentication on all VPN access points.
- Monitor and audit: Regularly check for unusual activity and conduct vulnerability scans.
- Train your users: Educate staff on identifying phishing attempts and strong password hygiene.
- Incident response plan: Have a plan for how to quickly isolate, contain, and remediate a potential attack.
Don’t Wait
The escalating attacks on firewalls and VPNs serve as a sobering reminder that perimeter security is more important than ever. As organizations increasingly rely on remote access and cloud-based services, the perimeter is expanding, making it more challenging to secure.
But that doesn’t mean you should give up.
The time to act is now: don’t wait to take proactive measures to protect your organization. By implementing the tips and strategies outlined above, you can help defend against evolving threats and mitigate potential damage from firewall and VPN attacks.
If your organization needs help gaining visibility into your endpoints and security tools or help patching and hardening them, find out how Syxsense can help automate all this and more.
