Recovering from VPN Compromise

Every few weeks now, a government agency issues new advice on securing the VPN you and your organization use for secure communication.

Summer alerts over VPN security holes

During July 2019, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about VPNs.

The alert said hackers were aware of VPN vulnerabilities and actively exploiting them to launch remote code execution (RCE) attacks and to intercept or hijack encrypted traffic sessions. CISA singled out the following VPNs:

• Palo Alto Security Advisory PAN-SA-2019-0020
• Fortinet / FortiGuard Labs Security Advisory FG-IR-18-384
• Pulse Secure Security Advisory SA44101

That was followed by guidance from the Canadian Centre for Cyber Security about mitigating vulnerabilities in the VPN.

Now, another government agency is sharing advice with the world. In this case, the insights are coming from the super secretive National Security Agency.

NSA guidance on recovering from VPN compromise

The NSA is following up on what the other agencies advise and taking it to the next step: what should you do if you use a VPN service that becomes compromised?

How do you restore secure encryption that a VPN is supposed to offer?

The National Security Agency says restoring confidence in your VPN product looks like this:

1. Upgrade to the latest version which patches vulnerabilities. Then remember the following:
   "If a malicious actor previously exploited the vulnerability to collect legitimate credentials, these credentials would still be valid after patching." 
2. "NSA recommends resetting credentials after a vulnerable VPN device is upgraded and before it is reconnected to the external network."
3. "Immediately update VPN user, administrator, and service account credentials."
4. "Immediately revoke and generate new VPN server keys and certificates. This may require redistributing VPN connection information to users."
5. "If compromise is suspected, review accounts to ensure no new accounts were created by adversaries."

NSA reveals hardening techniques for VPN security

The NSA also offers a number of VPN hardening strategies and steps in its special advisory. Some are quite technical, and you can see them all here. 

Some of the less technical suggestions on hardening VPNs include using multi-factor authentication to prevent attackers from authenticating with compromised passwords; and enabling logging to record and track VPN user activity, including authentication and access attempts, configuration
changes, and network traffic metadata.

Also, things such as deploying a web application firewall (WAF) that can detect and block web application attacks, like specially-crafted HTTP requests containing malformed strings that exploit VPN vulnerabilities, in front of the VPN web application.

Plus, disabling services (e.g. file share services) that could be leveraged for post-compromise activities like lateral movement, data exfiltration, and command and control.

And constantly analyzing log activity and subscribing to vendor patch alerts and patching any vulnerabilities immediately.

Because as the NSA notes in its advisory, hacking methods become readily and publicly available. That was the case for the most recent vulnerabilities:

"Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code."