People like to group things into categories, like problems and solutions. But in the security world, automatically lumping certain technologies into the “solutions” category leads us astray — they can be problems too. The security industry relearned this last month, when Russia-linked ransomware group REvil compromised the Kaseya VSA, leading to widespread lockouts and upwards of $70 million dollars worth of ransom demands.
Out of Sight ≠ Out of Mind
Let’s look at VPNs, one of my favorite targets, as an example. These made the news recently as well, when FireEye revealed several exploited vulns in Pulse Secure VPNs, and let’s not forget the Palo Alto bug from last year. While the Kaseya VSA was not quite the same as a VPN, it utilized remote access and was considered a “solution” by those deploying it. These were not the first, and certainly will not be the last newsworthy attacks of this sort. Last year a bevy of security appliance vulns were found, and I’ll admit Randori uses 0days as part of our platform.
A VPN is every bit as full-featured as any other computer on your network. But you don’t think of it as a computer; you think of it as a service. You stand up new appliances in your system once and typically never return to do maintenance on the configurations. Meanwhile, you aren’t able to install any new software on it to defend it in any way.
A VPN is attached to the internet, and also to your internal systems, but has little or no monitoring, security or redundancies installed because it is considered a “solution” rather than a “problem.”
But people should treat VPNs and security appliances the way they would treat any other high-risk asset.
A VPN is indeed a computer — a very powerful one that has privileges, stores credentials and can transit the security boundary. If I own this one device, I can see everything flowing through this information gateway. User credentials flow through your VPN? Sweet! Your user credentials flow through me.
Anyone Can Forget Their VPNs are Attackable — Even a Security Consulting Company
A while back, I was contracted to do a research project with a security consulting company. They were teaching energy companies how to build secure networks, and had a test power grid that they used to do so. They had a number of appliances deployed in their IT stack. But to access it all, they had a single Cisco VPN appliance for remote administration. Not wanting to pay for a Cisco switch for each VLAN, they had a single switch with about ten VLANs running through it. And while they had numerous layers of security, they had not set up a password on the VPN when standing it up. My team was able to log in as privileged users and bypass all their other protections with the box’s administrative privileges.
Here’s what their CISO did wrong: 1) he created a single point of failure and 2) assumed it could never fail and designed a security architecture around this assumption. What he should have done: buy physically different hardware and physically segment switches.
Another example where something similar happened. The CISO at a financial services firm installed a VPN so executives could access their desktops, their email — expected. I came up with a vuln in the software of the VPN. I landed on the VPN and got access to the underlying Linux operating system, where I was able to observe all the traffic coming through. I immediately got access to the rest of the domain — a Windows Network — against which the VPN authenticated users. I observe some traffic and steal the credential to access the domain. From there I immediately accessed a list of all users, computers, etc., listed in the domain.
I became the VPN.
Security teams treat high-risk assets which they consider problems very differently than they treat so-called solutions. Traditional endpoints are considered problems — they need EDR, external logging, and extensive monitoring. Why? Because you know you won’t be able to trust the logs coming out of a compromised device. If an asset is a problem, you probably put it behind a firewall, segment it from other high-value assets, and disconnect unused services. If it is a solution, you probably do none of those things. People treat VPNs and other appliances like solutions, when they are just as exploitable as any other asset.
Your VPN, A.K.A. Your Unguarded Linux Computer
I’m talking about VPNs, but the same logic applies to all out-of-the-box security appliances, including the Kaseya VSA. If an organization has no server farm, then everything they do is in the cloud. Their workloads have to flow through something, whether it’s a VPN or not. If a salesperson lives their whole life in Salesforce, their authentication mechanism to Salesforce is equivalent to a VPN now. To get online, you have to have remote access, giving you a virtual office presence. If an attacker intercepts that flow of information, they become your virtual office presence.
Most VPNs are simple computers operating on Linux or BSD, and come preloaded with a set of controls. These controls may or may not be right for the organization, but they usually cannot be altered. A customer doesn’t have access to the underlying operating systems in an appliance, but with decent planning and execution, an attacker will.
VPNs Are A Solvable Problem
Once an attacker has privileges on a box, it can no longer be trusted by its own admin. The monitoring data that a hacked appliance feeds to a security team may be completely false. But this problem is fixable — by looking at remote appliances with the attacker’s perspective.
The Kaseya VSA breach allegedly led to over 1 million devices being compromised. But the VSA itself was not the problem; the problem was that each of the companies using the VSA were treating it like a solution, and failing to practice defense in depth around a highly attackable asset.
Security leaders are already applying a lot of great thinking to how to secure the well-known “problems” they think about day-to-day. Apply that same thinking to your traditional “solutions” and you’ll be better off. You already deploy firewalls, WAFs, logging and segmentation on assets your program deems high risk. Security appliances need to be grouped into this category as well. The better you close these holes, the smaller your attack surface will be, and the trickier it will be for an attacker to access your crown jewels.