From ransomware groups to state-sponsored actors, multiple cyber threat actor types are exploiting vulnerabilities on edge devices and remote services. Edge devices should be considered among the critical assets of any organization and the security of such devices should be one of the highest priorities. This includes VPNs, as a compromised VPN server could allow attackers to easily gain control over other critical assets in the network. Most often, the security of edge devices is straightforward to include updating software regularly and by employing patch management for externally exposed devices. Unfortunately, in addition to vulnerabilities, certain no-fix techniques exist within VPNs and which affect products such as Ivanti Connect Secure and FortiGate. Overall, securing VPNs is challenging, and one key takeaway emerges: avoid placing blind trust in your VPN.

In a recent blog post, researchers from Akamai shared insights on VPN post-exploitation techniques. These techniques focus on the various methods attackers employ to escalate their intrusion once a VPN server has already been compromised, an often overlooked threat. WaterISAC is sharing the recommendations listed in the Akamai blog post, and suggest sysadmins review them to help secure the edge devices throughout the sector. Recommendations include:

Employ Zero Trust Network Access. Traditional VPNs have a major flaw in their access model, allowing users either full access to the network or none at all, which poses a risk if an attacker compromises a VPN server. This creates the challenge of needing to provide remote access to internal applications while protecting the network's integrity. Zero Trust Network Access (ZTNA) addresses this issue by implementing access policies for individual entities, enabling approved remote operations and minimizing the potential impact of security breaches. Review the NSA’s cybersecurity advisories on advancing zero trust maturity for more guidance.

Limit service account permissions. It is advisable to utilize service accounts with restricted permissions, ideally limited to read-only access. Security defenders should assess how attackers might exploit the credentials stored within the VPN and ensure that a compromise does not facilitate access to other critical assets. While some integrations may necessitate service accounts with elevated permissions, it is best to avoid such configurations whenever possible.

Use dedicated identities for VPN authentication. It is trivial for an attacker with control over the VPN to compromise the credentials of authenticating VPN users, which makes relying on existing authentication services like Active Directory (AD) risky, as it can turn the VPN into a single point of failure. Instead, it is advised to implement a separate and dedicated method for VPN user authentication, such as using certificate-based authentication with certificates specifically issued for this purpose, to enhance security and protect internal assets from potential threats.

Monitor configuration changes. To detect configuration changes effectively, it is advisable to regularly retrieve the device configuration and compare it against a predetermined "golden image." Additionally, most devices come equipped with internal logging features that track system and security events. Therefore, it is recommended to gather and analyze these logs to uncover any suspicious modifications to the device configuration.

Access the full blog post at Akamai.