[INFOGUARD CSIRT WARNING] When the ransomware arrives via VPN

Author
Stefan Rothenbühler
Published
23. August 2021

Ransomware attacks have become a little quieter in recent weeks, but our CSIRT is now noticing an increase in encryption attacks once again. We are seeing well-known initial attack vectors such as phishing emails and inadequately protected remote accesses such as Citrix, RDP and VPN. This is why Stefan Rothenbühler, Senior Cyber Security Analyst, informs you about the latest findings.

An attacker in your home office?

The trend for staff to increasingly work from home due to Covid-19 has led to a logical increase in attacks that exploit the fact that companies are relying on people working from home. In many places, remote solutions such as VPN, Citrix and RDP have been set up within a very short time, or existing solutions for partner access have been extended to a large staff base.

More and more security gaps in VPN solutions

The increased use of VPN solutions in recent years has led to the discovery and abuse of serious security vulnerabilities in VPN products. At the beginning of 2020, for example, a security vulnerability became known in the Pulse Secure VPN appliance which enabled attackers to read various files on the appliance without having to be authenticated. This included a database with user passwords in plain text (data.mdb).

VPN access for 10$, please!

After these vulnerabilities became known, accesses of this kind were gathered by various groups around the world and the vulnerabilities were automatically exploited. The accesses obtained in this way are then offered for sale in hacking forums or on the Dark Net, so the access to your company may be also on sale somewhere for 10$ in the underground. Even if you have already patched the security vulnerability long ago, it is still possible to compromise it.

Important protection: Multi-Factor Authentication (MFA)

Based on current observations, we strongly recommend:

  1. Reset the passwords of Pulse Secure Appliances. This applies to user accounts as well as administrator and service accounts for configuration.

  2. Check the configuration of the Pulse Secure Appliance for unnecessarily exposed services.

Another very good means of protection is to use MFA (Multi-Factor Authentication). For some time now, we have been recommending that any access exposed to the Internet should be additionally protected with a second factor. Passwords that are easy to guess, phished or stolen through security holes are no longer sufficient to stop an attacker from compromising and encrypting a company; instead, the attacker would also have to override the second factor, which is more difficult and time-consuming. Therefore, they will choose a more profitable target with no additional factors.

InfoGuard is here to help you – 24/7

Most of the time, we are contacted by companies that have already been hit by a ransomware incident and then deploy our CSIRT (our cyber fire brigade). In cases like these, we would have been happy to help beforehand. Are you using a VPN or some other kind of remote access without MFA? It is only a matter of time before they are successfully attacked. We would be happy to help you provide better protection for these accesses.

Do you suspect that you may have been impacted by the Pulse Secure vulnerability? We would be pleased to investigate your infrastructure based on a configuration review and a compromise assessment, either to confirm your suspicions and avert the danger or to assure you that your company has not been hit.

Contact our CSIRT team!

In the event of a cyber attack of this kind, it is crucial to act quickly and professionally. Our Incident Response Retainer is the optimal, most effective solution. We prepare you for emergencies with a joint onboarding workshop. If one should occur, we can react correctly together with you - quickly, competently and with a lot of experience, 24x7. You can find out more about our Incident Response Retainer here:

Incident Response Retainer

Share article