VPNs

April ‘24 Cybersecurity News Roundup: Brute Force Attacks & Vulnerabilities on VPNs & SSH

The second quarter of 2024 is proving busy for bad actors, specifically for those targeting network security providers like VPNs and Secure Shell (SSH). From mid-January to March 2024, CISA published several advisories regarding VPN vendors, releasing an emergency directive in early February after 1700 organizations fell victim to a campaign by an unknown Chinese APT group targeting VPN providers. 

From late March through April, threat actors launched a variety of brute force attacks and exploited vulnerabilities in VPN and SSH providers. Below we’ve compiled everything you need to know about these recent attacks with our recommendations on what to do if your VPN provider has been a target of the attacks. 

Cisco & other VPN and SSH companies targeted by brute force attacks

The attacks currently making the greatest headlines are considered “brute force attacks.” This type of attack is a hacking method where bad actors use trial and error to guess passwords, login credentials, and encryption keys. 

Although a simple method of attack, when successful, it gives bad actors the digital keys to the castle, so to speak, leaving company accounts, systems, and networks vulnerable to breaches. In the context of VPNs and SSH environments, this can lead to unauthorized network access. It can also lead to damaging denial of service conditions and account lockouts. 

According to research from Cisco, the attacks appear to have started on March 18, 2024. All of the attacks originate from TOR exit nodes and various other anonymization tools and proxies, which the threat actors use to evade blocks, according to Bleeping Computer. The attacks appear to have been conducted through TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack to make the source untraceable. It remains unclear if these attacks were related to a previous malware botnet called 'Brutus’ that had a similar pattern and scope.

The following VPN and SSH providers have been targeted between March and April 2024 in brute force attacks: 

Security recommendations 

If you are a customer of any of the above listed VPN or SSH services, it is recommended that you pay close attention to your network security and network activities in the coming weeks, as more attacks are predicted to occur. Organizations should enable logging on all connected devices, secure default remote access VPN profiles, encourage employees to update their passwords and use an SSO login, and block connection attempts from malicious sources.

Additionally, Cisco has published a list of IP addresses and credentials associated with these attacks to add to your VPN control list in their GitHub repository. It’s important to note that the list of attacker's IP addresses is likely to change, but blocking malicious sites can help catch potential attackers before they have a chance to get in. 

Of note: Unlike other attacks and breaches, this attack is not against a software or hardware vulnerability; therefore, there is no “patch” to download. 

Hackers exploit vulnerabilities in Fortinet SSL-VPN devices

In February 2024, CISA released an advisory to address critical remote code execution zero-day vulnerabilities in FortiOS (CVE-2024-21762, CVE-2024-23313), stating, “According to Fortinet, CVE-2024-21762 is potentially being exploited in the wild.” 

Over a month later, it was reported that over 133,000 Fortinet devices were still vulnerable to the critical bug with gradual patches being released from the vendor. At the same time, Fortinet announced another critical-severity bug — CVE-2023-48788, an SQL Injection flaw in FortiClient Endpoint Management Server (EMS) — that was disclosed on March 12, carrying a 9.3 severity score and further adding to — and likely slowing down — the patching workload. 

On April 22, it was reported by Cybersecurity News that an unidentified group of hackers have exploited vulnerabilities and are now offering administrative access to over 3,000 Fortinet SSL-VPN devices. This breach, along with other recent vulnerabilities, poses a significant threat to the security of businesses relying on these devices for secure remote access, as it allows unauthorized access to sensitive corporate data and internal networks.

Security recommendations

Fortinet has not yet issued a formal response to the specific hacking incident. However, patches to the vulnerability are expected in the coming days with formal recommendations to follow. 

We advise all users of Fortinet SSL-VPN devices to increase awareness and monitor for unusual network activity. Additionally, we advise users to update login credentials for all users and use multi-factor authentication. Additionally, users should apply patches when available.

Palo Alto firewall vulnerability exploited 

On April 12, Palo Alto disclosed a critical vulnerability, CVE-2024-3400 (CVSS score of 10/10). This vulnerability is described as a command injection in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks’ appliances. This vulnerability leads to unauthenticated remote shell command execution, while the exploitation of a second flaw would allow attackers to steal sensitive information or deploy malware.

According to the Shadowserver Foundation, there are roughly 6,000 internet-accessible Palo Alto Networks firewalls potentially affected, down from over 22,000 a week prior. The vulnerability had been targeted by state-sponsored threat actors.

According to an advisory from Palo Alto: 

“A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability… In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.”

Security recommendations

Palo Alto has released a patch and has advised all customers to install all available updates and patches. The company also advised:

“Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later).”

General network security tips 

When your network security provider has been compromised, it can be frustrating. Here are a few steps you can take to ramp up your security, regardless of brute force attacks or vulnerabilities from third-party vendors:

  • Follow your network security provider’s list of security advisories. Even if a vulnerability does not pose a great risk to your business, it is a good idea to monitor the amount of time between an exposure and when the patch is released. 
  • Consider using tools with open source roots, as security issues are often addressed more quickly. 
  • Check your security vendor’s compliance information. For example, check if they are SOC 2 compliant, and monitor third-party audits for tools in your tech stack. 
  • Implement the tenets of zero trust, thereby enforcing multi-factor authentication and limiting access to internal systems should a breach occur. 
  • Utilize an Intrusion Detection System and Intrusion Prevention System, or IDS/IPS, to mitigate malicious traffic and suspicious activity. 
  • Use network segmentation to thwart DoS attacks and limit the spread of an attack.

Security solutions are always under constant attack. We, of course, also see threat actors becoming more bold in their attacks. It is therefore important that whatever security solution you use, it receives proper attention and maintenance to resolve any issues found or reported.

Likewise with OpenVPN, it is important to install updates.

“We sometimes see customers who may be running Access Server with an outdated operating system or older version of Access Server,” says Johan Draaisma, senior product manager for Access Server. “Because of this, they may be vulnerable to security issues that have long ago been solved.”

Draaisma adds, “I think, in general, what is happening in the security world right now is a wake-up call to scrutinize your software update policies and ensure you keep up-to-date, to stay safe.”

How OpenVPN can help your organization

Being burned by a breach can be a headache. OpenVPN can help get you back up and running quickly. Because of our open source roots we: 

  • Believe in full disclosure in any instance of a vulnerability, exposure, or breach. 
  • Take security issues very seriously and respond quickly when serious vulnerabilities are discovered.
  • Respond to vulnerability reports from both inside and outside the open source community.
  • Work with organizations like MITRE to publish and disseminate security information to both customers and open source community devs and users alike.

Ready to get started? Download OpenVPN’s award-winning CloudConnexa or Access Server for free, and improve your security posture in under 20 minutes. Get started with free connections today.

Want to check out our platform without downloading a trial? We’ve got you covered. Try our interactive product demo today

Share this story: