- Foreign bad actors are "routinely" exploiting unpatched VPNs in 2020, according to an alert issued by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). The flaw was not one of the top 10 common vulnerabilities and exposures (CVEs) from 2016-2019.
- The agency designated two VPN vulnerabilities, an "arbitrary code execution" flaw in Citrix VPNs and an "arbitrary file reading" vulnerability in Pulse Secure, as most likely for bad actors to exploit.
- Other top 2020 vulnerabilities include flaws related to hasty deployments of collaboration software services and social engineering attacks that lead to ransomware exposure.
The massive work-from-home landscape is stressing enterprise security infrastructure. Vulnerabilities that weren't as risky in an office environment have become a minefield for remote workers.
CISA's alerts give organizations guidance on what flaws to prioritize. Ideally, zero trust could mediate application access, reserving VPN use for specific cases. Zero trust could then serve as a "tactical mitigation" for overloaded VPNs.
Security issues arise from poor patching, not from inherently flawed VPN solutions.
Microsoft's Object Linking and Embedding (OLE) was subject to three of the top 10 exploitable vulnerabilities from 2016-2019. In December, CISA found threat actors from China were targeting CVE-2012-0158, an exploit the U.S. government "publicly assessed in 2015 was the most used in their cyber operations."
After the agency traced the vulnerability, it concluded organizations failed to issue patches for the flaw. Malicious actors can still rely on dated flaws for their "operational tradecraft as long as they remain effective."
Patches were an issue before the coronavirus pandemic pushed offices to remote work, but now organizations are grappling with how to organize patch deployments. The vulnerabilities CISA called attention to have patches issued by their respective vendors.
Companies that have their systems exposed to the internet are at particularly high risk.
"Finding or acquiring zero-day vulnerabilities is a costly endeavor, so leveraging unpatched flaws with publicly available exploit code gets them to their end goal in the fastest and cheapest way possible," Satnam Narang, staff research engineer at Tenable, told CIO Dive in an email.
Malicious activity linked to VPNs was a trend that increased in 2019 because that was when "exploit code for several notable VPNs became publicly available," according to Narang.