Akamai warns enterprises that VPN attacks will only increase

LAS VEGAS -- Following a year of significant VPN attacks, Akamai said the threat is only going to increase and become more accessible to threat actors of all skill levels.

During Black Hat USA 2024 Wednesday, Ori David, senior security researcher at Akami, led a session titled, "Tunnel Vision: Exploring VPN Post Exploitation Techniques." Throughout the session, David demonstrated post-exploitation techniques that would open the threat vector to not just nation-state actors but less sophisticated attackers as well.

David focused his research on Ivanti and Fortinet VPN products, which experienced significant attacks over the past year. For example, in January, a Chinese nation-state threat actor exploited two Ivanti zero-day vulnerabilities, which came under widespread exploitation after public disclosure. The problem was so dire that in April, Ivanti CEO Jeff Abbott issued a statement on how the company planned to revamp its internal processes and strategies.

Last year, Fortinet saw multiple attacks against its SSL VPN, including one tracked as CVE-2023-27996, that received a 9.8 CVSS score.

Additionally, government agencies earlier this year revealed the Chinese nation-state actor Volt Typhoon gained initial access to victim organizations by exploiting known or zero-day vulnerabilities in VPNs and other edge devices such as routers and firewalls. More alarmingly, Volt Typhoon had been lurking in some victim environments for at least five years before being detected.

"Last year was pretty rough for VPN security. It seemed like literally every month, a critical vulnerability was discovered in one of the top VPN services in the market, and those vulnerabilities often led to mass exploitation," David said during the session.

David stressed that VPN post-exploitation activity enables attackers a significant level of access but it can be expensive to pull off, which is why it's often limited to nation-state actors. However, he experimented with Ivanti and Fortinet VPN products and found techniques that less sophisticated actors could leverage against victim organizations. To do so, he used living off the land (LOTL) techniques, which is a growing trend among threat actors like Volt Typhoon. Such techniques involved threat actors abusing legitimate products and existing tools on victims' networks in order to evade detection.

During the research, he tested Ivanti and Fortinet products under the assumption that threat actors had access to the management interface. From there, he abused the Lightweight Directory Access Protocol (LADP), which in most cases provided access to Windows Active Directory (AD) where credentials are stored.

"I discovered a way for VPN post exploitation for attackers of all levels," David said. "If a normal LADP is used, cleartext credentials will be sent from the server. If an attacker controls your VPN, it will be able to compromise any LADP credential."

He also discovered that secrets within the VPN, such as SSH keys, user passwords and other credentials, were not adequately protected. For example, Fortinet's custom encryption key feature is disabled by default, which he said is concerning because all administrators may not be aware.

David also found a way to bypass Fortigate's custom key feature, even if customers enable it. In 2019, a security researcher discovered Fortinet was using a single hard-coded encryption key to protect all secrets in all Fortigate appliances. While the vendor issued a fix that allows customers to switch to a custom key, David found attackers could simply disable the feature with admin access and revert the product back to single hard-coded key.

"It's trivial to extract secrets," David said. "An attacker with VPN control can easily obtain any secret from the configuration file."

He stressed that these techniques have already been observed in the wild. For example, he referred to research that showed attackers have moved laterally to compromise AD following VPN exploitation. "Attackers are already using these techniques, and it's only a matter of time before less sophisticated threat actors catch up," David said. "We'll be seeing similar things in other products [besides Ivanti and Fortinet] as well."

David reported the issues and vulnerabilities to Ivanti and Foritnet and said the vendors are working on fixes. Ivanti plans to issue two patches in October, he said.

To combat the threat, David urged enterprises to collect and analyze logs and monitor configuration changes. He also recommended limiting service account permissions and to deploy zero trust access. "Threat actors are coming for your VPN. They can provide much more than network access," David said.

Patrick Sullivan, CTO of security strategy at Akamai, emphasized that adversaries of all levels, from nation-state actors and down, have an affinity for targeting edge devices.

"Now even ransomware actors [are targeting VPNs]. If you find one vulnerability in an edge device that's deployed in thousands of organizations, you don't have to social engineer someone in each organization. There's been a shift from social engineering to more of a focus on vulnerabilities, which has played in ransomware as well," Sullivan said.

Catherine Lyle, head of claims and incident response for cyber at insurance carrier Tokio Marine, led another Black Hat session Wednesday on cyber insurance trends. During the session, she revealed that VPNs without MFA protection had replaced Remote Desktop Protocol (RDP) as the second most used initial intrusion vector of 2024.

"If you walk away with nothing else, VPN without MFA is the new RDP," she said. "Unprotected VPNs are the new attack vector because of the number of vulnerabilities, the landscape and the size, and the ease -- once you're in you've got the keys to the kingdom."