Hackers launched a widespread attack against government agencies and hospitals using credentials stolen previously through a remote code execution vulnerability found in the VPN servers used by those entities. The vulnerability had been dealt with via patch, but much like the EternalBlue attack, many organizations failed to properly patch all of their servers. Unpatched devices are a risk that must be contended with by any organization, and the larger an organization’s footprint the more likely there’s a vulnerable device on its network.
- READ: Why Use a VPN?
There has been an alert by the US Cybersecurity and Infrastructure Agency (CISA) warning of an attack through this code since October 2019, and these servers have gone unpatched since then. In February, the FBI issued a FLASH security alert about the potential for exploitation by malicious actors that, apparently, went unheeded. CISA picked up on attempts to sell stolen credentials after the attackers were unable to escalate them into something more useful that would grant them access to data worth ransoming, stealing, or selling. CISA has further reported that
VPN servers that are patched after an attack has occurred doesn’t solve the problem, as it’s possible for a persistent attacker who has avoided being caught up in a security sweep from being removed from the server in question. The cyber threat intelligence firm Bad Packets has found over 2,000 vulnerable, unpatched VPN servers that could still be attacked with this method. While this is high, it’s down from 15,000+ servers that were found in August 2019. Patching devices is a simple and effective way to improve the security of any organization. Consider implementing a way to push updates to all devices, and keeping extensive records about the security patch status of any devices used to store important data.