Remote Access Vulnerabilities and a Hardware-Enforced Solution
Remote access for OT is vital for maintaining efficiencies, troubleshooting, and also important for retaining remote workers. But most remote access solutions pose a range of security risks that might be exposing critical systems to the Internet. We take a look at three major breaches of remote access VPN and two-factor authentication systems and introduce HERA – Hardware-Enforced Remote Access – as a safer alternative.
Andrew Ginter
Remote access is seen as essential by many industrial operations – essential for trouble-shooting remote installations, enabling vendor experts to log in and help out with difficult problems, and sometimes even as a perk to help retain a white-collar workforce that grew accustomed to remote work in the pandemic. Remote access is also seen as dangerous by most practitioners – remote access provides both legitimate users and our enemies with direct access from the Internet into our critical systems. This concern is well-placed – in this article we review three serious, widespread breaches of remote access VPN and two-factor authentication systems, and we introduce HERA – Hardware-Enforced Remote Access – an alternative to vulnerable, software-based solutions.
“HERA – Hardware-Enforced Remote Access – is a secure alternative to vulnerable, software-based remote access solutions.”
Tunnel Vision VPN Breach
In the beginning of May 2024, Levathian Security disclosed the “Tunnel Vision” vulnerability that lets attackers intercept VPN traffic for almost all VPN software running on almost all operating systems except Android. By using the DHCP protocol to attack the operating system rather than the VPN, Tunnel Vision works below the level of the VPN and thus impairs most VPN products that allow laptops to participate “virtually” in distant, sensitive networks – on all of Windows, MacOS, iOS and Linux.
For the technically inclined, to attack a target, the attacker must be on the same local network as the target – a public coffee shop Wi-Fi hot spot for example. When the victim’s machine connects to the network and issues a DHCP request to acquire an IP address, the attacker responds to the request faster than the coffee shop router responds. The attacker’s response sets up routes in the victim’s machine. These routes send traffic to the attacker’s machine – traffic that would normally go to the victim’s VPN. This traffic arrives in the attacker’s machine without being encrypted by the VPN.
There are reports that this vulnerability was known, at least in part, as early as 2015, and there is speculation that the vulnerability, or a variation thereof, has been used for some time by nation-state adversaries.
Chinese Attackers Infect 20,000 Fortinet VPN Devices
In late 2022 and early 2023, Chinese attackers infected between 14,000 and 20,000 Fortinet VPN appliances. The attack vector was a remote code exploitation vulnerability that let the attackers take control of the VPN devices and install their “CoatHanger” malware. CoatHanger is a Remote Access Trojan (RAT) that lets the attackers remotely monitor and further attack the “protected” network to which the compromised VPN device was providing remote access. CoatHanger is reported to be extremely difficult to detect on a compromised VPN appliance, even if you know what you are looking for. Worse, CoatHanger survives device reboots and in some cases even survives upgrading the firmware on the compromised devices.
EvilProxy Bypasses Remote Access 2FA
In 2023, Proofpoint documented a phishing attack that included technology to defeat two-factor authentication on web-based accounts. The phishing emails tricked victims into clicking on links to what they thought were their legitimate Microsoft cloud services. In fact, the links led to malicious websites that in turn, forwarded requests (eventually) to the legitimate Microsoft sites, and forwarded responses back to the victims. The malicious sites thus looked and behaved just like the Microsoft sites did. These users then used their normal passwords and two-factor authentication mechanisms to log into the legitimate Microsoft websites.
The malicious sites of course saw all these credentials exchanged un-encrypted. Once the two-factor authentication was complete, the malicious sites stole web browser cookies from the intercepted communications – these cookies were the session cookies that identified the legitimate sessions. The attackers then immediately started using these session cookies themselves, to impersonate the victims, essentially “stealing” their active login sessions to the Microsoft services.
This same attack technique works with essentially all web services, including web-based remote access systems.
Hardware-Enforced Remote Access
The common theme? These are all vulnerabilities that compromise software-based remote access systems. Hence the problem: many critical infrastructures really do need remote access, but today’s software-based remote access systems are vulnerable to too many kinds of attacks. What the world needs now is hardware-enforced remote access.
The good news – Waterfall Security has just announced a new Hardware-Enforced Remote Access (HERA) solution. The hardware sends only encrypted keystrokes and mouse movements into the OT network, not arbitrary TCP packets through a firewall. Even if all the software on the Internet-facing CPUs in the HERA device are compromised, the attacker still cannot reach into, manipulate, nor propagate malware into the protected OT network. HERA delivers the benefits of remote access, without the risk of attacks compromising the HERA server and propagating into the OT network.
To learn more about HERA click here, or register for Waterfall’s July 31, 2024, webinar on HERA.
About the author
Andrew Ginter
Share
Trending posts
Insights into Nation State Threats – Podcast Episode 134
Infographic: Top 10 OT Cyberattacks of 2024
Andrew Ginter’s Top 3 Webinars of 2024
Stay up to date
Subscribe to our blog and receive insights straight to your inbox