With the increasing sophistication of cyber threats – and cyberattacks themselves becoming more ruthless and efficient, virtual private network (VPN) services face a new set of challenges that can compromise not just the security and integrity of organizational data, but the network where the data lives.
Among these challenges, zero-day vulnerabilities pose a significant risk, as they can expose businesses to critical cyberattacks.
A zero-day vulnerability is a security flaw in software that is unknown to the vendors. The term 'zero-day' indicates that the developers have had zero days to address and patch the vulnerability since it was first discovered.
This is exemplified by the recent exploitation of Ivanti Connect Secure and Policy Secure Gateways which impacted the businesses using their VPN service.
What happened in short
Ivanti disclosed two vulnerabilities at the beginning of January this year, followed by two additional vulnerabilities disclosed on January 31, 2024. These affect all supported versions of the Ivanti Connect Secure and Ivanti Policy Secure Gateway products, enabling attackers to run commands on the system. To this day, these vulnerabilities are still being addressed and the holes patched.
As stated by CISA (Cybersecurity & Infrastructure Security Agency of the U.S.A.), Ivanti’s vulnerabilities can be used in a “chain” of exploits, enabling hackers to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.
VPNs play a crucial role in securing business networks, allowing remote workers to access corporate resources in an efficient way. But because VPNs live on the Internet, they also pose a significant security issue for companies.
This blog explores the top three VPN challenges that put your business at risk when a zero-day-vulnerability is discovered, highlighting the importance of advanced VPN security solutions like Anapaya GATE and the benefits of the SCION Internet for reduced cyberattack risks.
Challenge 1: Massive attack surface of VPN services
The steep rise of hybrid workforces in recent years has led most organizations to use VPNs to enable access for remote workers. This shift has positioned VPNs as one of the most common avenues for malicious actors to secure initial access onto a target network. Why? Because VPNs – currently de facto – have a massive attack surface since they operate on the Internet. In essence, a VPN is designed to securely extend your network to a remote endpoint, and in scenarios involving a remote workforce, it connects thousands or even tens of thousands of remote endpoints across the Internet, a network that – as we are all well aware – has a massive attack surface.
A survey led by Zscaler states that 88% of their survey’s respondents are concerned that their VPN may jeopardize their environment’s security. Rightly so. In recent months, all major VPN providers have been disclosing zero-day vulnerabilities, from Ivanti to Palo Alto Networks, Cisco and Fortinet, underscoring the urgent need for robust VPN security solutions.
What the Anapaya GATE solution does to help this scenario is hide your VPN service from the Internet, meaning it prevents intrusion attacks by reducing attack surface by up to 99% compared to the traditional Internet. In the Ivanti case, if your VPN had been on the SCION Internet after the zero-day vulnerability was discovered, the vast majority of cyber criminals wouldn’t have been able to see your specific VPN and thus attack it.
Challenge 2: Zero-day vulnerabilities turning into attacks
We do not like to be the ones to put it out there, but YOU are a target. Because your VPN lives on the Internet, you are exposed to cybercrime from all over the world. These are bad actors who are constantly scanning your network to find holes and get in – often exploiting zero-day vulnerabilities found in widely used software just like in the Ivanti case.
Our team looked at tracking the number of attacks perpetrated against a Swiss financial institution in Switzerland for a quarter in 2023. During that time, they suffered 8M+ attacks with unspecified intent (scans) and 85K+ attacks with malicious intent on their VPN infrastructure.
The sheer size of scans makes it nearly impossible to prevent an intrusion attack from escalating into a malicious attack, or to block, mitigate, or circumvent one that is happening.
The same financial institution mentioned above tried out something new: they decided to put their VPN on the SCION Internet accessed via by their users via Anapaya GATE as well.
During the same quarter in 2023, they identified only 18K+ attacks with unspecified intent (scans) and 0 attacks with malicious intent. And by being in control of the attack surface, they could more easily monitor and detect scans, enabling them to react quicker to potential breaches.
Attacks with unspecified intent
Attacks with malicious intent
Challenge 3: Once cybercriminals are in, they are in
Once the hackers have gained access to your network via a hole in your system or in the software like in the Ivanti scenario, they are in – even if you figure it out and patch it. In the time it takes to fix such a flaw, hackers can exploit such vulnerabilities to seize control of an organization’s network tools and use them to drill even deeper into that business’s IT environment. In other words, they can (and do) create the infamous backdoor – or even several of them. You don’t know when they will hit you with something else like malware, spyware or ransomware as some of the worst. For businesses everywhere, you do not want your data or money on the table.
Anapaya GATE minimizes the risk of such a breach happening by giving you fine-grained control over where your VPN service is accessible. Instead of being visible to everyone on the Internet, your VPN service is exposed only to remote users coming through the GATE infrastructure.
Enhance your business VPN security
In the case of Ivanti customers, businesses with their VPN services could have circumvented this exploited vulnerability if they had the VPN services on the SCION Internet and access to the VPN service had been limited to Anapaya GATE remote users.
This would, of course, be of particular interest to businesses that have a hybrid workforce predominantly in one region or country, where the SCION Internet has been shown to reduce the attack surface by up to 99% compared to the traditional Internet.
Anapaya GATE is not a “once and for all protective measure” – but it is one of the simplest and most effective preventative measures against zero-day vulnerabilities (that have the potential to cripple your VPN and networks) that is available today.
With Anapaya GATE, you can make sure your business is not subjected to the painful loss of customer loyalty, trust or the financial losses that always accompany such zero-day exploits – whether we're talking about the lost time and resources spent fixing the issue or more serious repercussions like ransomware.
To learn how services exposed to the Internet are more vulnerable than when running on the SCION Internet, read the case study "SCION vs. the Internet."
