Summarize

Simplifying... Inshort

Hackers are exploiting VPN vulnerabilities, tricking users into connecting to rogue servers, and spreading malware.
Security flaws, named "NachoVPN," were found in some VPN clients, leading SonicWall and Palo Alto Networks to issue patches.
Users are urged to stay vigilant, regularly update their VPN software, and use tools like NachoVPN to identify potential security gaps.

Was a long read? Making it simpler...

Next Article

Hackers are exploiting compromised Virtual Private Network (VPN) servers

VPN users beware! Hackers find new method to spread malware

By Mudit Dube

Nov 28, 2024

05:41 pm

What's the story

Cybersecurity experts have warned about a new threat in which hackers are exploiting compromised Virtual Private Network (VPN) servers. The attackers are using them to steal sensitive data from unsuspecting users. The new trend also highlights potential vulnerabilities in commonly used VPN clients. Earlier this year, AmberWolf researchers found that criminals were specifically targeting popular VPN clients like SonicWall NetExtender and Palo Alto Networks GlobalProtect.

Deceptive tactics

Attackers use phishing techniques to trick users

The attackers use phishing and social engineering to trick users into connecting to rogue VPN servers they control. They use malicious websites and cleverly disguised documents as bait, convincing victims to make connections that ultimately compromise their systems. Once connected, the users unknowingly provide access to their VPN clients, allowing attackers to impersonate trusted servers and conduct malicious activities.

Security flaws

Hackers exploit VPN client vulnerabilities

The crux of the issue stems from some VPN clients not properly authenticating the legitimacy of the servers they connect to. AmberWolf discovered these security flaws, dubbed "NachoVPN," and reported them to SonicWall and Palo Alto Networks. The vulnerabilities were officially tracked as CVE-2024-29014 for SonicWall and CVE-2024-5921 for Palo Alto Networks. Both companies have since taken action to fix the issues.

Mitigation measures

Companies issue patches and advise users

SonicWall released a patch for the vulnerability in July 2024, with the first secure version of NetExtender for Windows being 10.2.341. Palo Alto Networks followed suit in November 2024, recommending users to upgrade to GlobalProtect 6.2.6 or enable FIPS-CC mode for better protection. AmberWolf also created an open-source tool called NachoVPN, which simulates the attack and aids researchers in discovering more security gaps in different VPN clients such as Cisco AnyConnect, Ivanti Connect Secure, SonicWall and Palo Alto clients.

Safety measures

User vigilance and regular updates are key

The NachoVPN tool highlights the changing threat landscape where even trusted security solutions can be turned into attack vectors. AmberWolf stressed that the tool is platform-agnostic and adaptable, urging the cybersecurity community to work together in tackling emerging vulnerabilities. For users, this incident is a grim reminder to remain vigilant and keep their VPN software updated to not fall prey to such sophisticated attacks.