In today’s remote work landscape, SSL VPNs have become a cornerstone of corporate security measures, allowing employees to securely access internal networks from various locations. However, the vulnerability lies in the fact that if a hacker gains access to an SSL VPN, they acquire the same level of access as legitimate users. To mitigate this, most SSL VPNs require Multi-Factor Authentication (MFA) in addition to the standard username and password, ensuring that even if login credentials are compromised, unauthorized access is prevented. This additional security step is not merely a recommendation, but a must.

Cisco SSL VPN Hacked Due to Insufficient Security Settings

However, many companies neglect implementing MFA settings when connecting to an SSL VPN. This issue extends to Cisco ASA, a widely used network security platform for safeguarding corporate networks and data centers through features like firewalls and SSL VPN. As highlighted in Rapid7’s report on the compromise of Cisco ASA firewall and SSL VPN, hackers systematically targeted Cisco VPN services lacking MFA. They employed brute-force attacks, including credential stuffing, to infiltrate vulnerable companies.

Rapid7 reports that the most recent 11 corporate infiltration incidents were facilitated through Cisco SSL VPNs that lack proper cybersecurity measures. When hackers gain access to an employee’s SSL VPN, they acquire the same security clearance as legitimate users. This grants them entry to confidential Windows server files and insider information. In addition to obtaining such sensitive data, they can also distribute ransomware like Akira and LockBit, causing further harm to the affected company.

Searching "ssl vpn" on Criminal IP Asset Search provides further insights into SSL VPNs. Notably, top products such as SonicWall and ZyWall are prominent SSL VPN devices.
Searching “ssl vpn” on Criminal IP Asset Search provides further insights into SSL VPNs. Notably, top products such as SonicWall and ZyWall are prominent SSL VPN devices.

SSL VPNs Exploited Due to Inadequate Security Configurations

The core issue lies in Cisco VPN devices lacking an additional layer of MFA. Attacks can occur even when MFA is implemented, but not correctly. For example, using default factory accounts can leave systems vulnerable. Failing to update the SSL VPN to the latest version can also create exploitable vulnerabilities. An illustrative case is the breach at the Korea Atomic Energy Research Institute, which, although equipped with MFA, was compromised due to the oversight of not updating the SSL VPN’s security to the latest version.

In response to this issue, Cisco’s Product Security Incident Response Team (PSIRT) emphasizes that companies should implement MFA in addition to their SSL VPN setup. It is crucial to keep the VPN software updated with the latest security patches. Cisco ASA also stresses the importance of enabling VPN user logs to monitor potential attack vectors. Companies should consistently evaluate the security posture of their SSL VPN and proactively manage their attack surfaces.

The following list, provided by Cisco PSIRT, offers effective strategies for addressing the issues as mentioned earlier related to SSL VPN security breaches:

  • Verify that MFA is correctly configured.
  • Ensure that default accounts are not accessible to the public.
  • Practice Attack Surface Management: Always update SSL VPN devices to the latest version.
  • Enable logging for all SSL VPN devices.
  • Implement credential stuffing prevention solutions, such as FDS (Fraud Detection System), for SSL VPN devices.

Hacker IP Address With Past History of Enabling RDP Ports

Meanwhile, 176[.]124[.]201[.]200, which a hacker has previously utilized, currently displays no open ports. Criminal IP‘s Historical Information feature enables users to explore past data, indicating that on February 26, 2023, the RDP Port (3389/TCP) was actively in use.

Typically, the Remote Desktop Protocol (RDP) attack involves hacking a specific server’s RDP and then using that compromised server to hack another RDP, a method known as the RDP Worm. Therefore, it is highly likely that this server was compromised by someone and communicating with another botnet server via the RDP port. There is also a significant possibility that it infected another RDP server using the RDP Worm technique.

A more alarming issue compared to SSL VPN hacking is a technique that enables hackers to access internal servers without requiring SSL VPN authentication. This is accomplished through remote control using RDP. Hence, companies should ensure the inspection of the attack surface of SSL VPNs by incorporating protocols like RDP/SSH to effectively address potential vulnerabilities from remote locations.

Retrieved historical data for the SSL VPN attacker's IP address using Criminal IP Asset Search
Retrieved historical data for the SSL VPN attacker’s IP address using Criminal IP Asset Search

Check out our article on KIOSK Hacking: Tips to Improve Your Kiosk Security.

This report is based on data from Criminal IP, a Cyberthreat Intelligence search engine.

Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat intelligence.

Source: Criminal IP (https://www.criminalip.io/en)

Related Article(s): https://blog.criminalip.io/2022/10/14/ms-exchange-zero-day-vulnerability/

Detecting Microsoft Exchange Zero-day Vulnerabilities with the Security OSINT Tool