Welcome to Episode Two of The Cyber Compass, our monthly insight series, featuring articles expertly written by our Technical Director, William Poole. In this month’s edition, Will explores how Virtual Private Networks (VPNs) have emerged as a key attack vector for cyber-criminals.

In 2024, the cyber security landscape witnessed a dramatic surge in ransomware attacks, with Virtual Private Networks (VPNs) emerging as a key attack vector for cyber criminals. This article, authored by Will Poole, Technical Director at CYFOR Secure, explores the methods used by these threat actors, observed trends among prominent ransomware groups, and actionable measures organisations can take to strengthen their defences. VPNs are attractive targets because they often provide a single point of entry into an organisation’s network.

 

What Are VPNs and How Businesses Use Them

VPNs (Virtual Private Networks) create a secure, encrypted tunnel for data transmission, enabling users to safely access private networks over the internet. For businesses, VPNs play a critical role in supporting remote work, allowing employees to securely access internal systems from anywhere. They are also used to safeguard sensitive data transfers, provide secure connections to cloud applications, and facilitate global collaboration. However, the increasing reliance on VPNs has made them a prime target for cyber criminals, who exploit vulnerabilities to compromise corporate environments.

Exploiting VPN Vulnerabilities

The widespread adoption of VPNs has attracted the attention of malicious actors. In 2024, 56% of organisations experienced cyber-attacks leveraging VPN vulnerabilities, up from 45% in 2023. Threat actors exploit unpatched software vulnerabilities to gain unauthorised access. Despite the availability of patches, delays in applying updates leave many organisations exposed, highlighting the importance of timely patch management, especially for internet-facing systems.

Leveraging Legitimate Credentials

Beyond software vulnerabilities, attackers frequently exploit legitimate credentials to breach VPNs. Automated brute-force attacks against publicly accessible VPN endpoints remain common. Weak or default passwords like “admin” or “user” and password reuse enable attackers to gain access using credentials obtained from data breaches or dark web marketplaces. In 2024, 28.7% of ransomware incidents were attributed to credential-based VPN attacks, though CYFOR Secure’s experience suggests the number exceeds 50%.

The absence of Multi-Factor Authentication (MFA) further compounds this risk. Without MFA, attackers with valid credentials can access networks unchallenged. Implementing MFA significantly reduces the likelihood of unauthorised access, adding an essential security layer.

Broader Context on Threat Trends

VPN-based attacks are a significant component of broader cyber threat trends observed in 2024. The year saw a rise in phishing-as-a-service (PhaaS) platforms, increased utilisation of AI by threat actors, and targeted supply chain attacks. These developments demonstrate the growing sophistication of cyber-criminal strategies and the need for organisations to adopt a multi-layered defence.

Trends Among Ransomware Groups: Akira and Fog

Ransomware groups such as Akira and Fog have intensified their activities, exploiting VPN vulnerabilities to devastating effect. The team at CYFOR Secure have seen incidents span anything from hours to weeks, as different threat groups perform their own compromises, or, purchase existing compromises from initial access brokers / affiliates. Encryption-only incidents can occur in a matter of hours, but the CYFOR Secure team have witnessed incidents increasing to months where double-extortion data exfiltration incidents occur.

After gaining access, threat actors escalate privileges, such as using tools like Mimikatz to harvest administrator credentials. They also exploit other vulnerabilities, such as the CVE-2024-40711 flaw in Veeam Backup & Replication servers, to deploy ransomware. This adaptability underscores the necessity for comprehensive security measures.

Will Poole
“The rapid exploitation of VPN vulnerabilities by groups like Akira and Fog highlights how critical it is for organisations to adopt a proactive approach to cyber security. Delays in patching and weak credential management are often the deciding factors in whether a network remains secure or succumbs to ransomware.”

Will Poole, Technical Director CYFOR Secure.

Regulatory Implications

Failing to secure VPNs has significant regulatory consequences. For example, breaches involving personal data may result in penalties under GDPR or similar regulations. Businesses must recognise that lax cyber security practices can lead to financial penalties, reputational damage, and legal scrutiny, adding another layer of urgency to adopting robust security measures.

Protective Measures Organisations Can Take

To protect against evolving threats, organisations should adopt the following measures:

  • – Regular Updates and Patching: Ensure all VPNs, firewalls, and related infrastructure are consistently updated with the latest security patches.
  • – Enforce Strong Authentication Mechanisms: Implement MFA across all remote access points to provide an additional layer of security.
  • – Conduct Security Audits: Perform regular assessments to identify and remediate vulnerabilities within the network.
  • – Adopt Zero-Trust Architecture: Shift to a security model that verifies all access requests, regardless of origin.
  • – Employee Training: Educate employees about cyber security best practices, including recognising phishing attempts and maintaining strong passwords.
  • – Use Advanced Threat Detection Tools: Deploy tools capable of identifying unusual network activity, such as AI-powered intrusion detection systems.
  • – Incident Response Framework: Conduct tabletop exercises, establish predefined communication plans, and ensure rapid recovery strategies are in place.

Conclusion

The exploitation of VPN vulnerabilities by ransomware groups like Akira and Fog underscores the evolving tactics of cyber criminals. Organisations must stay vigilant by proactively updating and securing their systems while fostering a culture of cyber security awareness. By implementing robust defences and staying informed about emerging threats, businesses can significantly reduce their risk of falling victim to ransomware attacks.

Written by Will Poole, Technical Director at CYFOR Secure.