With remote work on the rise due to COVID-19, an increasing number of companies are using VPNs, which in turn is resulting in a surge in attacks that exploit the vulnerabilities found in VPN technology. Some notable examples include the Korea Atomic Energy Research Institute (KAERI) and the Korea Aerospace Industries (KAI), where attackers were confirmed to have accessed unauthorized administrator pages by exploiting VPN vulnerabilities and changing passwords without proper administrator authorization. In addition, a hacker claiming to be Chinese infiltrated divisions of the U.S. defense industry system by exploiting VPN vulnerabilities. A Russian hacking group also exploited VPN vulnerabilities to steal VPN account information from over 900 Japanese and international companies, gaining access to their internal systems.

Similarly, numerous reported hacking attempts and incidents exploiting VPN vulnerabilities are increasingly common in companies across the board. This serves as a warning for security managers to take precautions and minimize the potential damage caused by these hacking activities. With the assistance of AI Spera’s cyber threat intelligence search engine, Criminal IP, we will assess whether the company’s VPN service, overseen by security managers, is exposed externally. Additionally, we will explore the appropriate countermeasures that can be implemented to address any identified risks.

Cyber Threat Intelligence Search Engine ‘Criminal IP’
 Cyber Threat Intelligence Search Engine ‘Criminal IP

Global Statistics on VPN Server IP Vulnerabilities

A global search for IPs with VPNs was conducted, revealing a total of 47,270 IPs with VPNs. Among them, 950 IPs were located in Korea. Shifting the focus to Korean cases, it has been confirmed that among the IPs with VPN, services such as SSL VPN Client, SoftEther VPN Server, and VPN Router were found to be open. While many VPN IPs identified in this manner may have intentionally been left open, it is important to note that VPN IPs accessible only to administrators can still pose vulnerabilities, making them susceptible to potential attackers.

Country statistics of IP addresses with VPNs
Country statistics of IP addresses with VPNs

Exposed Company VPN Servers Detected With Criminal IP

The table below represents a list of VPN assets within the company’s overall information asset inventory, which the security manager manages. We searched using Criminal IP to determine if any VPN IPs have been exposed externally.

The VPN asset list among the company's information asset inventory, detected by Criminal IP
The VPN asset list among the company’s information asset inventory, detected by Criminal IP

After the search, we have confirmed that the IP xxx.xxx.xxx.251 in the VPN server supervised by the security manager is exposed outside. While the VPN authentication page is intended to be accessible only to specific groups, it is currently exposed in a manner that allows anyone with knowledge of the IP information to gain easy access. This vulnerability enables hackers to exploit Brute-force attacks and gain unauthorized authorization, potentially penetrating the internal network using the provided routing information.

Moreover, if the VPN in question is vulnerable, attacks can be executed utilizing well-known VPN communication protocols such as SSL or IPSec, as well as exploiting security configuration vulnerabilities within the VPN device itself.

Now that we have identified security risk exposures resulting from VPN vulnerabilities,  security managers should immediately take countermeasures against them. 

These measures are divided into six steps and should be implemented based on the specific situation, following a step-by-step approach: 

  1. Ensure that the VPN authentication page is not exposed.
  2. Apply 2FA (two-factor authentication) to the VPN authentication page and change the default password.
  3. Always keep the VPN software updated to the latest version.
  4. Check the VPN logs to identify abnormal IP addresses accessing the authorized VPN authentication page or authentication attempts made outside of working hours.
  5. Do not install any services unrelated to VPN on the VPN server.
  6. Regular security education sessions should be conducted to enhance the security awareness of the security manager.

If you utilize Criminal IP, you can detect and protect your assets more quickly and effectively, enabling you to respond promptly and efficiently.

This article is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]