*Photo by schach100 from Pexels
Alerts, especially from government sources, should be immediately escalated as critical vulnerabilities to remediate. VPNs are the digital doors to our organizations. They are continuously being tested by malicious and bad actors. A new joint alert from NSA and FBI itemizes the vulnerabilities that are being used to infiltrate organizations through exposed VPN solutions.
It’s also clear that a member of this bad actor community happens to be the Russian intelligence services. They are tied to the SolarWinds supply chain manipulation where backdoor code was inserted into a software update opening a digital pathway directly to government entities and businesses.
If you have any of these VPN solutions, review and immediately upgrade, patch, or follow the vendor’s guidance on mitigating the vulnerabilities listed by the NSA:
- CVE-2018-13379 Fortinet FortiGate VPN
- CVE-2019-9670 Synacor Zimbra Collaboration Suite
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 VMware Workspace ONE Access
For more information, review the advisory or visit NSA.gov/cybersecurity-guidance.
However, it shouldn’t take an NSA alert for these vulnerabilities to become a priority as these vulnerabilities are up to two years old. The oldest CVE-2018-13379 has a CVSS critical score of 9.8, which should have kicked off a remediation plan back in 2018.
At TECH LOCK we do understand that resources are stretched and sometimes things like this get buried in the backlog of other critical and important IT and security items to do. We do not judge, it’s harder than ever to prioritize when everything is ‘critical’.
Vulnerability management can be a thankless job in most organizations, pushing IT to fix and patch, and reporting more found vulnerabilities with every new scan. This is one of the reasons we offer Vulnerability Management with our Managed Threat Detection and Response service.
While it’s effective to have early detection of threats, vulnerabilities allow for intruders to enter and dwell in your organization. Remediation is a proactive way to minimize risk. These two security disciplines are complementary.
The good news is that dwell times have significantly fallen. In the 2021 M-Trends threat report, Mandiant researchers note the global median dwell time or the number of days an attacker is in an environment before detection, has fallen to 24 days.
The bad news is that ransomware is increasing, and vulnerabilities are key tools ransomware families use to infiltrate and do their damage. Once a hacker is in an organization, they can immediately execute ransomware malware – they don’t need a lot of dwell time to figure out how to exfiltrate data and the discover the value it might bring on the dark web market. The model for financial gain is proven. Extortion tactics by the bad actors are escalating to even use ‘call centers’ to follow-up on their victims, threatening to call their customers, board members, and standards organizations.
More bad news, is that are ransomware families are also being used by APT Groups. These nation-state actors are attacking critical organizations, big and small. They are riding the success that ransomware has shown them of what are successful attack vectors.
One of the challenges small to medium-sized enterprises have is balancing where to invest in cybersecurity. The threats and tactics are changing rapidly and what was recommended even two years ago is no longer sufficient. Our clients know TECH LOCK services are designed to adapt to these situations and deliver the needed advanced cybersecurity coverage that is now accessible and affordable through a fully managed end-to-end solution.
We’d be happy to share how our security experts recently identified an intruder and within 15 minutes the threat hunt and cyber maneuvers started on behalf of our client. Contact info@techlockinc.com and we’ll walk through the kill-chain timeline and see where we can help your organization stay safe.