Technology

Rogue VPN servers used to spread malware via malicious updates

November 27, 2024

Researchers from AmberWolf find two flaws in popular VPN products
Flaws can be abused to get the VPNs to connect to malicious servers
The servers can use the connection to steal login credentials, drop malware, and more

Hackers have been using compromised VPN servers to steal sensitive information from connected VPN clients, security researchers are warning.

Earlier this year, cybersecurity experts from AmberWolf discovered criminals were tricking people into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to VPN servers under their control.

The criminals were using malicious websites, or documents in social engineering and phishing, to get people to connect.

Fixing the problem

Since the vulnerable VPN clients fail to properly authenticate or verify the legitimacy of the VPN server, attackers get to impersonate trusted servers, and are allowed several malicious actions, including stealing the victims’ login credentials, running arbitrary code with elevated privileges, installing malware through software updates, and more.

AmberWolf named the vulnerabilities “NachoVPN”, and reported them to the respective organizations.

On SonicWall’s side, the bug was tracked as CVE-2024-29014, and was fixed in July 2024, while on Palo Alto Networks’ side, it was tracked as CVE-2024-5921, and was addressed in November 2024.

The first clean version of NetExtender Windows is 10.2.341. For Palo Alto, users should either install GlobalProtect 6.2.6, or run their VPN client in FIPS-CC mode.

Besides reporting the bugs to SonicWall and Palo Alto Networks, AmberWolf also shared an open-source tool, also called NachoVPN, which simulates the attack, BleepingComputer has found.

“The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered,” AmberWolf said.

“It currently supports various popular corporate VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure,” the company concluded in its announcement.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar