Chris ScheelsApril 23, 2021
Is the Latest Pulse Secure Exploit the Writing on the Wall for VPNs?
New Pulse Secure zero-day exploit for CVE-2021-22893 used in the wild by nation-state threat actors to attack government, defense and finance sectors.
The pulse of VPN technology is weak and close to flatlining. This week we learned of yet another critical VPN exploit in the wild, another nation-state threat actor systematically attacking vulnerable VPNs. It’s like déjà vu. Or Groundhog Day. Or a bad dream that we can't seem to wake up from. This latest VPN exploit news doesn't bode well for traditional VPNs, no matter how you slice it. Isn’t it ironic that one of the malware families is actually called SlowPulse and another PulseCheck?
Honestly, it brings to mind the often misattributed Einstein quote:
“Insanity is doing the same thing over and over again and expecting different results.”
Why do organizations keep using a 23-year-old-plus connectivity technology to secure enterprise remote access? This week Pulse Secure is in the news, but over the last few years you could insert any VPN provider in its place.
Security professionals should resist the urge to search the web for VPN exploits or critical VPN vulnerabilities, because it’s the stuff that nightmares are made of … yet the evidence is overwhelming. Appgate has been educating the community on the critical design flaws of this multi-decades-old technology. We are on a mission to eradicate the use of VPNs, telling anyone who will listen why it’s time to replace the VPN. It’s not the vendors fault per se … it’s the fact that all VPNs are based on the same initial design flaw: they all require an open internet facing port that is just waiting to be attacked.
If you were to build a new remote access solution today, you would never design it with an open, exposed internet port. ZTNA solutions were designed with that in mind. There are different ways to go about cloaking ports with single packet authorization (SPA) being a proven, tried-and-true method.
“VPNs are antiquated and while they may have some value for an immediate 'fix' they need to go away,” said Chase Cunningham, also known as Dr. Zero Trust. “They are vulnerability aggregators and are a prime target for exploitation. Moving away from them empowers users and makes security more digestible for everyone while simultaneously improving command and control of the security infrastructure.”
Reportedly, the recent attacks impact U.S. and European organizations in defense, government and financial sectors. There are many great articles about the details of the hack, but it’s still too early to know the depth and breadth of it. The bottom line is there is yet another example of a compromised VPN that puts government and enterprise at risk.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued another alert (aa21-11-a) related to the latest Pulse Secure VPN vulnerability. The CISA alert strongly urges any organization using Pulse Secure devices to take immediate action to determine the integrity of the system.
This latest VPN attack is very similar to another recent well publicized critical Pulse Secure VPN exploit. To summarize from our August 2020 DEFCON1 blog about CVE-2019-11150, details of that attack were:
- A critical, remotely exploitable VPN vulnerability
- An open listening VPN port
- Stolen credentials
Even though a patch for CVE-2019-11510 has existed for over a year, unpatched systems are still under attack today, along with two other more recent vulnerabilities CVE-2020-82 and CVE-2020-8260, according to the SecurityWeek article.
Unfortunately, there are still conversations where someone states: "My VPN is secure." The truth is that VPNs are not fit for purpose in today’s world of hybrid IT and persistent cyber attackers.
Imagine a world where you have no discoverable public-facing infrastructure for an attacker to exploit. This is what Zero Trust network access (ZTNA) brings … a new alternative to VPN. Attackers will find no exposed ports during their reconnaissance. And as we like to say, "you can't attack what you can’t see."
We look forward to a day when the security community can take a collective sigh of relief and say, "Rest in peace, VPN." We invite you to join the movement to switch from VPN to ZTNA and help #killthevpn.