VPN users beware! Hackers find new method to spread malware
What's the story
Cybersecurity experts have warned about a new threat in which hackers are exploiting compromised Virtual Private Network (VPN) servers. The attackers are using them to steal sensitive data from unsuspecting users.
The new trend also highlights potential vulnerabilities in commonly used VPN clients.
Earlier this year, AmberWolf researchers found that criminals were specifically targeting popular VPN clients like SonicWall NetExtender and Palo Alto Networks GlobalProtect.
Deceptive tactics
Attackers use phishing techniques to trick users
The attackers use phishing and social engineering to trick users into connecting to rogue VPN servers they control.
They use malicious websites and cleverly disguised documents as bait, convincing victims to make connections that ultimately compromise their systems.
Once connected, the users unknowingly provide access to their VPN clients, allowing attackers to impersonate trusted servers and conduct malicious activities.
Security flaws
Hackers exploit VPN client vulnerabilities
The crux of the issue stems from some VPN clients not properly authenticating the legitimacy of the servers they connect to.
AmberWolf discovered these security flaws, dubbed "NachoVPN," and reported them to SonicWall and Palo Alto Networks.
The vulnerabilities were officially tracked as CVE-2024-29014 for SonicWall and CVE-2024-5921 for Palo Alto Networks.
Both companies have since taken action to fix the issues.
Mitigation measures
Companies issue patches and advise users
SonicWall released a patch for the vulnerability in July 2024, with the first secure version of NetExtender for Windows being 10.2.341.
Palo Alto Networks followed suit in November 2024, recommending users to upgrade to GlobalProtect 6.2.6 or enable FIPS-CC mode for better protection.
AmberWolf also created an open-source tool called NachoVPN, which simulates the attack and aids researchers in discovering more security gaps in different VPN clients such as Cisco AnyConnect, Ivanti Connect Secure, SonicWall and Palo Alto clients.
Safety measures
User vigilance and regular updates are key
The NachoVPN tool highlights the changing threat landscape where even trusted security solutions can be turned into attack vectors.
AmberWolf stressed that the tool is platform-agnostic and adaptable, urging the cybersecurity community to work together in tackling emerging vulnerabilities.
For users, this incident is a grim reminder to remain vigilant and keep their VPN software updated to not fall prey to such sophisticated attacks.