Security: Social Engineering and VPN access

Sicherheit (Pexels, allgemeine Nutzung)[German]I often report on cyber attacks on companies here on the blog. In general, headlines about security incidents at large companies seem to be piling up. Fortunately, when companies release details about the incident, the security community can learn about the tactics used in the attack and be better able to protect their own organizations in the future. However, much remains under the table and the public is not told how the attack was able to occur.


Security provider Lookout recently sent me an analysis that deals with the emergence and exploitation of a modern security vulnerability: It revolves around the issue that attackers can often infiltrate companies via VPN access whose credentials have been captured via social engineering.

The LAPSUS$-Uber hack

One example is Uber. In 2022, the ride-hailing company learned of a successful data infiltration and attributed the attack to the notorious Lapsus$ group. According to news reports and Uber's own blog, a third-party provider's credentials were compromised either through social engineering (according to Lapsus$) or by purchasing the credentials on the dark web (according to Uber).

In either case, an attacker bombarded a user with multi-factor authentication (MFA) requests and was able to convince them to accept the login under the pretense of being an Uber IT employee. Once logged in, the attacker moved laterally and found privileged credentials hardcoded into an automation script. From there, he gained additional access to a variety of cloud applications and data on the company's network.

Uber is just one example, the threat landscape is constantly evolving. This attack illustrates the tactics that continue to be effective, helping IT departments and security teams around the world better understand what proactive steps they can take to avoid being next.

Insights from Lookout

Sascha Spangenberg, Global MSSP Solutions Architect at IT security provider Lookout, describes the emergence and exploitation of a modern security vulnerability: These days, a wide range of users need to be able to access corporate infrastructure wherever they are – whether they are employees, partners or contractors. The standard method of connecting them is often virtual private networks (VPN). However, this can be a problem – and not just in terms of the poor user experience caused by network hairpinning.


Simple authentication methods are susceptible to social engineering

VPN relies on basic security controls: Passwords and MFA. Just because someone has entered the correct username and has an MFA token does not mean they are legitimate. Without additional telemetry, such as analyzing user behavior, companies have no way of knowing if an account has been compromised.

Since attackers only need to overcome the login process to compromise an infrastructure, social engineering has become very effective. This is especially true with the increasing use of mobile devices, for which there are countless channels through which phishing attacks can be carried out to steal credentials, including SMS and iMessage, third-party messaging apps and social platforms such as social media and dating apps.

Network-wide access makes lateral movements easy

Another risk posed by VPNs is that they grant users more access than they need, also known as overprovisioning. Once someone logs into a VPN profile, they often have access to a variety of systems within that network. If the profile is compromised, the attacker can perform reconnaissance operations to find out what other options are available and move laterally around the network in what is known as a "land-and-expand" operation.

How companies can protect themselves – three important measures

It is difficult to find an answer to every security incident, but there are lessons to be learned from every incident.

1. Restrict VPN access, especially for third parties

Seamless collaboration with third parties is crucial for any business, but it's important to keep security in mind. To minimize security incidents, companies should ensure that their users only have access to what they need to do their job, also known as "just enough rights". It may also be useful to limit the amount of time a person has access to the data, e.g. through 'just-in-time' access.

To achieve this level of segmentation, organizations should go beyond VPN and its all-or-nothing access controls. This not only limits an attacker's ability to move laterally, but also reduces the risk of phishing attacks. Technologies such as Zero Trust Network Access (ZTNA), which can fulfill these additional requirements, make sense.

2. Don't rely on passwords and MFA alone

Strong passwords and MFA are solid security foundations, but they alone are not enough. Given the variety of devices, networks and locations from which users may be connecting, it is incredibly difficult for traditional security tools to distinguish between legitimate users and attackers.

This is where additional telemetry data needs to be considered, such as user behavior or the risk level of the device being used. For example, if a user logs in from an unusual location on a device they don't normally use, or if they attempt to log in multiple times from different networks, these cases should be flagged. Security managers also need to recognize when permissions change, as this is one of the first things an attacker will try to do to expand access to the network.

3. Protect employees from social engineering

An entire chain of attacks often cannot be carried out without an initial starting point, which is most often achieved with a compromised access code. Gone are the days of brute force attacks. It's much easier to buy a phishing kit on the dark web or create a proxy that redirects the targeted user to a fake version of their corporate login.

As attackers get better at launching social engineering scams, organizations need to protect their employees on all devices. The first step is to ensure that users are properly trained, especially with regard to modern phishing attacks that occur via mobile channels. Next, organizations need to be able to block phishing attacks and malicious network traffic through their mobile devices, laptops and desktops. If they are able to detect inbound and outbound internet connections, they can prevent malicious websites from reaching their users and data from leaking out.

Security problems cannot be solved in isolation

Security vendors have been conditioned to view different aspects of security as separate problems. In reality, a security incident can only be prevented if each of the above steps work in unison.

For example, security teams should be able to restrict or block a user's access from any endpoint if they are compromised. When an account is taken over, they should be able to actively monitor the user's behavior so they can quickly restrict or block access. To enforce these consistent and dynamic policies, security managers need to automate responses based on device, user, application and data telemetry.

Just as no cloud application lives on an island, no security problems can be solved in isolation. To truly reduce risks and protect data, companies need a unified platform that takes a holistic approach to security.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *