CISA Emergency Directive 21-03: VPN Vulnerabilities Actively Exploited
On April 20, 2021, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released an alert on the exploitation of Pulse Connect Secure Vulnerabilities with Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, as well as Emergency Directive (ED) 21-03, after a FireEye blog shed light on security incidents involving compromises of Pulse Secure VPN appliances. The directive outlines the specific actions all US federal agencies should take to mitigate the vulnerability and maintain compliance.
ED 21-03 was issued in response to active nation state exploitation of a series of Pre-Authentication Remote Code Execution vulnerabilities including one that was discovered this month, according to a blog by Pulse Secure. CISA's ED comes on the heels of the April 15, 2021 cybersecurity advisory from the National Security Agency warning of publicly known vulnerabilities being exploited in an effort to obtain authentication credentials to allow further access.
Continuation of a trend
While CISA's warning about the Pulse VPN vulnerability is top of mind, this is really just the latest example of a pattern that has repeated itself for the past 2 years. Several classes of adversaries have focused on exploiting vulnerabilities in remote access VPNs as a means of initial compromise. For example, Industrial Control System attacks, fraudsters targeting financial services, and even ransomware crooks.
What is driving this trend?
Remote access VPNs have really been workhorses for decades, providing access to a diverse set of applications built by enterprises over decades. But as the VPN was asked to adapt to modern applications, which are overwhelmingly web-based and presented via a browser, things got complicated. To accommodate this dominant usage pattern, VPNs basically built in web server capabilities. The best discussion of an attacker's perspective of attacking SSL VPNs was the talk at DEF CON 27 in 2019 . As the presenters describe, the embedded web server inside modern VPN concentrators presents a significant attack surface. How many organizations protect their VPN with all the web-specific protections, like a web application firewall, that are standard protections for their other web servers?
What do you do right now?
The first step is to follow the vendor remediation guidance to install the security patch. You can find more information on that here.
Take a hard look at how and where you secure your perimeter. As the workforce is increasingly working remotely and the applications people use to be productive are increasingly located in the cloud, hardware VPN concentrators deployed at the corporate premises force users' traffic to take highly inefficient routes. These changes in computing and work patterns are driving shifts away from hardware VPNs and toward edge-based Zero Trust access solutions.\
Shifting from a remote access VPN to Zero Trust access models may be the single largest step an agency can take to better align to the National Institute of Standards and Technology's Zero Trust Architecture. The FireEye blog describes how adversaries are harvesting credentials to the VPN and then exploiting the perimeter security model to move laterally as they navigate to their ultimate targets. This is the exact type of attack Zero Trust architectures are designed to mitigate.
It's important to note that edge-based Zero Trust access solutions are also able to natively embed the entire web application security suite. This is designed to allow for the elimination of the risk of the web server functionality that may currently be exposed in legacy VPN solutions.
This isn't the last we've heard of these vulnerabilities. It's essential to remain vigilant, as adversaries have their sights set on such attractive targets and are actively exploiting these weaknesses. It's one thing to know there is an issue; it's another thing entirely when that issue is actively being used for exploitation and will continue to be targeted.
If you'd like to talk more about how to move forward with a Zero Trust approach to bring your agency access in line with the rest of your security, reach out to us to get started today.