The National Security Agency (NSA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued guidance for strengthening the security of virtual private network (VPN) services.

The document was created by the two agencies to assist organizations in boosting their defenses, particularly against attacks from nation-state adversaries who have previously used bugs in VPN systems to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device.

VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.


In the document is explained how to correctly select the VPN solutions that follow the industry standards, as well as the best practices for using strong authentication credentials.

It’s important for organizations to be well informed when it comes to choosing the right products from reputable vendors with a history of acting quickly to patch known vulnerabilities.

As explained by BleepingComputer, the two agencies recommend reducing the server’s attack surface by:

  • Configuring strong cryptography and authentication
  • Running on strictly necessary features
  • Protecting and monitoring access to and from the VPN

Exploiting remote access VPNs can become a gateway to large-scale compromise.


This report was released shortly after the threat actors’ actions. In order to achieve their objectives, attackers who were both financially motivated and assisted by the government have recently concentrated on exploiting any VPN flaws they uncover.

The attack vector has attracted government-backed hackers, who have exploited weaknesses in VPN equipment to get into networks belonging to governmental institutions and defense corporations throughout the globe.

This is not the first time when the NSA and CISA warned about the fact that malicious actors who are working for the Russian Foreign Intelligence Service (SVR), known as APT29, Cozy Bear, and The Dukes, were successfully exploiting vulnerabilities in Fortinet and Pulse Secure VPN devices for initial access onto a target network.

Previously this year the National Cyber Security Centre (NCSC) also added a number of appliances from Cisco and other network gear vendors to the list of products that had vulnerabilities exploited by the SVR hackers.

Further CVEs in use by SVR

As previously reported, the group frequently uses publicly available exploits to conduct widespread scanning (T1595.002) and exploitation (T1190) against vulnerable systems. The group seeks to take full advantage of a variety of exploits when publicised. The group have used:

  • CVE-2018-13379 FortiGate
  • CVE-2019-1653 Cisco router
  • CVE-2019-2725 Oracle WebLogic Server
  • CVE-2019-9670 Zimbra
  • CVE-2019-11510 Pulse Secure
  • CVE-2019-19781 Citrix
  • CVE-2019-7609 Kibana
  • CVE-2020-4006 VMWare
  • CVE-2020-5902 F5 Big-IP
  •  CVE-2020-14882 Oracle WebLogic
  • CVE-2021-21972 VMWare vSphere

This list should not be treated as exhaustive. The group will look to rapidly exploit recently released public vulnerabilities which are likely to enable initial access to their targets. More information about these exploits can be found in previous NCSC advisories on Citrix and VPN vulnerabilities.


List Containing Almost 500,000 Fortinet VPN Login Names and Passwords Was Leaked

Russian Intelligence Actively Exploits Five Known Vulnerabilities, NSA Says

Heimdal Security + VPN/Proxy = The Ultimate Security & Privacy Combo

Leave a Reply

Your email address will not be published. Required fields are marked *