Keep Attackers Out of VPNs: Feds Offer Guidance

The NSA and CISA issued recommendations on choosing and hardening VPNs to prevent nation-state APTs from weaponizing flaws & CVEs to break into protected networks.

Unsecured VPNs can be a hot mess: Just ask Colonial Pipeline (which got pwned by the crooks with an old VPN ) or the 87,000 (at least) Fortinet customers whose credentials for unpatched SSL-VPNs were posted online earlier this month.

Vulnerabilities in VPN servers are like welcome mats to nation-state advanced persistent threat (APT) actors who’ve weaponized VPN CVEs and vulnerabilities to break into protected networks.

But as of Tuesday, as they have repeatedly attempted in the past, the Feds moved to whisk away that mat.

On Tuesday, the National Security Agency (NSA) and the and Infrastructure Security Agency (CISA) issued guidance on selecting and hardening remote virtual access networks (VPNs): guidance that will hopefully help U.S. military leaders to better understand what risks are associated with these devices.

What’s at Stake

As the advisory from the NSA and CISA explained, exploiting CVEs associated with VPNs can enable a malicious actor “to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive

Read More: https://threatpost.com/vpns-nsa-cisa-guidance/175150/