NSA, CISA Publish Fresh Guidelines for Guarding VPNs From State-Sponsored Hackers
The National Security Agency and the Department of Homeland Security’s cyber arm on Tuesday jointly published guidelines for securing virtual private network devices, along with a warning to users that foreign government-backed hackers are actively exploiting vulnerabilities in such networks. The advisory comes alongside the NSA’s repeated warnings about Chinese hackers who are out to exploit VPN vulnerabilities, CyberScoop reported Tuesday.
The NSA and the Cybersecurity and Infrastructure Security Agency said in their latest advisory that they would help protect the Department of Defense, national security systems and defense contractors against such advanced persistent threat groups, a term referring to state-sponsored hacking groups.
In a tweet, Rob Joyce, the NSA’s director of cybersecurity, said VPN servers are entry points into protected networks, making them attractive targets. He warned that APT actors have and will continue to exploit weaknesses in VPNs.
The NSA said in a separate news release that there are many dangers inherent to leaving VPNs unprotected against attacks from groups that exploit publicly exposed information security flaws in the Common Vulnerabilities and Exposures database. Hacking into these CVEs allows malicious actors to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device, the agency warned.
Singled out was a case in May 2021 wherein the Federal Bureau of Investigation issued a warning about hackers leveraging VPN technology made by Fortinet to target a municipal government. The agency said that notable VPN providers typically market their products with a promise of secure connection, giving customers a false sense of security.
The two agencies also said that the need to fortify VPNs become more pressing as federal agency personnel shift to working from home due to the COVID-19 pandemic.
Tags: CISA CyberScoop cybersecurity Department of Homeland Security National Security Agency Rob Joyce virtual private network VPN