With remote work being on the rise due to COVID-19, more and more companies are using VPN, which in turn is leading to a spike in attacks that exploit the vulnerabilities found in VPN.

Some classic examples include the Korea Atomic Energy Research Institute and the Korea Aerospace Industry in Korea where attackers were all confirmed to have accessed unauthorized administrator pages capitalizing on VPN vulnerabilities and changed passwords without administrator authorization.

In overseas cases, a hacker purported to be Chinese infiltrated divisions of the U.S. defense industry system using the VPN vulnerabilities. A Russian hacking group also exploited VPN vulnerabilities to swipe VPN account information of more than 900 Japanese and overseas companies and access the internal system.

Likewise, many alleged hacking attempts and incidents that utilize the VPN vulnerabilities are also being frequently reported in companies in general, which serves as a heads up for security managers to take precautions to minimizing these hacking-induced damage.

With the help of AI Spera’s cyber threat intelligence platform Criminal IP, we will examine whether the company VPN service that security managers are in charge of is exposed outside and take a look what countermeasures could be taken accordingly.

After searching for the IP information with VPNs all around the world, it amounted to a total of 47,270 with 950 out of them being located in Korea.

Shifting the focus more towards Korean cases, it has been confirmed that among the IPs with VPN, services such as SSL VPN Client, SoftEther VPN Server, and VPN Router were open.

Many VPN IPs identified in this manner may have been intentionally left open, but VPN IPs that only administrators are privy to may render themselves vulnerable to attackers. 

The table below is a list of VPN assets among the company’s entire information asset list managed by the security manager. We have searched with the Criminal IP to see whether any VPN IPs were leaked outside. 

After the search, we have confirmed that the IP xxx.xxx.xxx.251 in the VPN server supervised by the security manager is exposed outside. Although the VPN authentication page in question is only exposed to certain groups, it remains in a state where anyone knowing the IP information can easily gain access, which subsequently allows hackers to obtain authorization without much effort through Brute-force attack and penetrate all the way into the inner network using the allowed routing information.

Moreover, if the VPN in question is vulnerable, attacks can be executed using the known VPN communication protocols such as SSL or IPSec or security configuration vulnerabilities of the VPN device itself.

Now that we have identified security risk exposures resulting from VPN vulnerabilities,  security managers should immediately take countermeasures against them. 

These measures are largely divided into six steps and should be implemented according to the situation at hand and in a stepwise fashion.

If you use Criminal IP, you can detect your assets of protection and take protective measures faster and more effectively. 

  1. Be careful not to let the VPN authentication be exposed.
  2. Activate 2FA (two-factor authentication) to the authentication page and remember to change the default password.
  3. Always update your VPN software to the latest version.
  4. Check through the VPN log for abnormal IPs on the allowed VPN authentication page or verification attempts made during off-work hours.
  5. Services not related to VPN should not be installed on the VPN server.
  6. Security education sessions should be held periodically to raise the awareness of the security manager.

This article was written by drawing on data provided by Criminal IP. If you are keen to find out more about specific Criminal IP services as well as beta tester recruitment, feel free to head over to our LANDING PAGE that is NOW open!