Virtual private network holes elevate remote access risk
Virtual private network (VPN) implementations that give remote access to operations technology (OT) networks have received more focus due to COVID-19 since more people are working remotely.
In the wake of COVID-19 with more people working from home, remote code execution vulnerabilities affecting virtual private network (VPN) implementations primarily used to provide remote access to operations technology (OT) networks have become more in focus.
These dedicated remote access solutions mainly focus on the industrial control system (ICS) industry, and their main use case is to provide maintenance and monitoring to field controllers and devices including programmable logic controllers (PLCs) and input/output (IO) devices. Such solutions are typically deployed at the outer layer boundaries of the network at level 5 of the Purdue model and provide access to the field controllers and devices located at level 1/0. Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage.
Vulnerable products are widely used in field-based industries such as oil and gas, water utilities, and electric utilities, where secure connectivity to remote sites is critical. Apart from connectivity between sites these solutions are also used to enable remote operators and third-party vendors to dial into customer sites and provide maintenance and monitoring for PLCs and other Level 1/0 devices. This kind of access has become especially prioritized in recent months due to the new reality of COVID-19.
To better understand the risk posed by the exploitation of these vulnerabilities and what can be done to defend against such attacks, the Claroty Research Team extensively tested the security posture of a few popular remote access solutions. The following are the research findings:
Remote access servers
Vulnerable remote access servers can serve as highly effective attack surfaces for threat actors targeting VPNs. These tools allow clients to connect through an encrypted tunnel to a server. The server then forwards the communication into the internal network. This means the server is a critical asset in the network — as it has one “leg” in the internet, accessible to all, and one “leg” in the secured, internal network — beyond all perimeter security measures. Thus, gaining access to it allows attackers to not only view internal traffic but also communicate as if they were a legitimate host within the network.
In recent years, there has been a shift toward cloud-based remote access solutions, which typically enable rapid deployment and reduce cost. Usually, they also offer white-labeled solutions that large-scale companies can purchase to have their own personal cloud while the underlying software is exactly the same. Thus, finding bugs in one instance could mean that all other instances would be affected, too.
Remote network connections
One of the big challenges of the ICS industry is the secure connection between remote sites and the main data center where the SCADA/data collection server is located. In recent times we have seen multiple events where Internet-facing ICS devices have been accessed directly without the need for any credentials; this threat has recently been addressed in a CISA alert. To avoid such scenarios, multiple ICS VPN solutions exist that are able to make these remote connections between site and central in a secure manner.
Another prevalent attack surface for targeting VPNs is the client. Gaining control of an authorized user’s computer grants attackers access to that user’s VPN credentials, as well as those for other employee accounts that could enable the adversary to penetrate and further expand their foothold within the organization’s internal network without needing to tackle the server instance.
Cybersecurity threat trends
Remote access trend: In recent weeks we have seen numerous vulnerabilities published on popular remote access solutions. We expect in the COVID-19 era of working from home, the increased use of these platforms will drive increased interest both from the operational side, as they become more process-critical, and from the security side, as they become more common. Denial-of-service (DoS) attacks on these components of the enterprise infrastructure could potentially emerge as a new tactic used by financially motivated attackers.
ICS ransomware: Advanced persistent threat (APT) activity is on the rise, and we have seen this activity shift from wide-reaching, largely indiscriminate attacks to highly specific targeted attacks. OT has been a significant focus in recent months as a key target for ransomware groups, and such attacks have been primarily focused on the information technology (IT) components of OT networks, such as human machine interfaces (HMIs) and engineering workstations.
Leveraging vulnerabilities in edge devices can provide these groups with direct access to ICS devices and key target areas, which when taken over could potentially yield the most benefit for these attackers’ business model. A good example of attackers using this exact tactic is the recent Honda attack. (Honda said one of its internal servers was attacked externally. It added the problem was affecting its ability to access its computer servers, use email and otherwise make use of its internal systems. It added “the virus had spread” throughout its network, but did not provide further details. The auto giant felt the effects of the EKANS, or SNAKE backward, ransomware.)
Phishing campaigns: Claroty has been focusing on client-side attacks due to the increase in APT activity targeting OT networks leveraging phishing campaigns as an attack vector. The main focus of our research in this area is to find vulnerabilities and exploits targeting OT-relevant clients, as shown through attacks on VPN clients.
These vulnerabilities reinforce the unique risks inherent to OT remote access. While the security features of most VPNs make them generally well-suited and secure for IT remote access, such features tend to be less comprehensive than the stringent role- and policy-based administrative controls and monitoring capabilities required to secure OT remote access connections and minimize the risks introduced by employees and third-parties.