With many organizations now adopting an almost entirely working-from-home (WFH) model as the world shelters-in-place to battle the COVID-19 pandemic, understanding how attackers might exploit remotely accessible entry points and how you can block them has never been more critical. Organizations are expanding and purchasing new virtual private network (VPN) solutions that allow access to business applications using an internet connection. Similarly, there’s greater use of remote desktop solutions and more reliance on cloud environments and applications with employees working off premises. VPN and remote access gateways have always been ideal candidates for adversaries to target; increased use in the wake of COVID-19 amplifies these risks.
As you expand your organization’s capacity for WFH, make sure that you are also using best practices for securing your newly expanded attack surface. Let’s take a look at some of the key risks with VPNs, remote desktop protocol (RDP) and cloud services.
VPN solutions vary widely in their performance, quality and approach to security. When relying on a VPN for secure transmissions, your organization should institute an independent verification of the security of your implementation. Of course, having a VPN provider check the security of their own solution is a start, but it’s not enough because it’s like relying on the company setting up a security fence to verify its effectiveness; if that fence provider is asked if the fence is adequate, they will say yes.
Beyond configuration issues, there are a number of common security issues related to VPN gateways. These vulnerabilities include remote code execution, file path traversal and password modification that can lead to credential theft and internal network compromise. For example, CVE-2019-11510 is a vulnerability that allows an unauthenticated remote attacker to gain access to private keys and user passwords. First identified in May 2019 for Pulse Connect Secure, Pulse Secure’s SSL VPN is still unresolved on a significant number of enterprise networks.
The CyCognito platform observed a 7x increase in the number of newly deployed, and thus exposed, RDP servers in March over previous months, which is not surprising given the massive shift to remote working. What is surprising is that two-thirds of those RDP servers don’t have the recommended Network Level Authentication (NLA) implemented. NLA is a mitigation to prevent unauthenticated access to the RDP tunnel and dramatically decreases the chance of success for RDP-based worms. Our analysis further reveals that 18 percent of Fortune 1000 companies have RDP servers without NLA or VPN protection.
NLA is recommended as protection against vulnerabilities like BlueKeep, CVE-2019-0708, a widespread and wormable RDP vulnerability discovered last year that still exists on many networks. First made public on May 14, 2019, BlueKeep enables attackers to perform unauthenticated, arbitrary remote code execution. There were a million devices exposed to BlueKeep a year ago and our research shows that nearly half a million devices on the internet are still susceptible to it, including Fortune 1000 companies. There are several public exploits for this vulnerability, significantly reducing its exploitation complexity. Because the vulnerability enables remote code execution and requires no authentication, it has been compared to "EternalBlue", which enabled the 2017 WannaCry attack.
Cloud Services Risks
Given the convenience and agility that cloud services (IaaS, PaaS, SaaS) offer, studies show that organizations currently run 38 percent of workloads in public cloud and that percentage had already been on a trajectory to continue to rise. Increased use of cloud services will no doubt be fueled by the rapid rise in remote work by enterprise employees this spring. Data from the CyCognito platform shows that this increases IT risk significantly: public cloud assets harbor a disproportionate share of an organization’s critical attacker-exposed risks, with critical issues in cloud assets occurring at 3 to 6 times the volume of critical risks in on-premises assets.
The ongoing increase in cloud adoption — whether sanctioned or shadow IT — and the resulting increase in security risks is a reality that security teams must factor in as they manage their security programs. The increased risk associated with cloud services may be due to lack of visibility to abandoned cloud environments spun up by various departments or, and more significantly, due to the fact that legacy security tools are simply not designed to identify cloud assets and the attack vectors associated with them. In any case, working remotely will undoubtedly fuel more growth in the adoption of cloud services, increasing the need to secure these environments.
Attackers are opportunistic. We knew they wouldn’t miss the quick evolution to working from home. They already know how to exploit WFH-related vulnerabilities, so now the scale of their opportunity increases. Our guidance doesn’t change in the face of the accelerated risk created by the pandemic. Your best defense is to view your attack surface the same way an attacker does and mobilize quickly to eliminate their easiest points of entry.