Claroty: VPN Vulnerabilities Endanger OT Networks

Numerous servers are still vulnerable to exploitation.

Edward Gately, Senior News Editor

July 31, 2020

12 Min Read
Cybersecurity Roundup, security roundup

Claroty has discovered VPN vulnerabilities that could threaten industries like oil and gas, water and electric utilities.

The VPNs access operation technology (OT) networks that these industries use. And while updates have been issued to fix the VPN vulnerabilities, numerous servers are still vulnerable to exploitation.

The National Security Agency warns that VPN vulnerabilities could pose a threat if not properly secured. The agency’s warning came amid a surge in remote work as organizations adapted to COVID-19 related office closures and other constraints.

As remote work persists in industries that use OT networks, the VPN approach for remote security might not be as secure as previously believed. The findings from Claroty note that vulnerable remote access servers can be highly effective attack surfaces for threat actors targeting VPNs.

To find out more about these VPN vulnerabilities, we spoke with Nadav Erez, research team lead at Claroty.

Channel Futures: How did Claroty discover these VPN vulnerabilities?


Claroty’s Nadav Erez

Nadav Erez: The Claroty research team constantly tracks global trends in security. We inspect possible attack surfaces in our customers’ networks. In the past few months, we have seen a great increase in the use of remote access solutions that lead directly into OT networks, and as the usage increases, so does the exposure to vulnerabilities in these types of platforms. Based on that, we chose to deeply investigate several products that are widely used in different OT domains. Once we identified these products as Moxa’s EDR-G902/3, Secomea’s GateManager, and HMS Networks’ eWon solution, we further investigated them to discover those reported vulnerabilities.

CF: Are these VPN vulnerabilities still dangerous? Can malicious hackers exploit them?

NE: Claroty maintains a responsible disclosure policy; therefore, we made sure all involved vendors have issued updated versions where the vulnerabilities have been fixed. Having said that, Claroty is monitoring internet-facing servers. … We still see hundreds of such servers that have not yet been updated; therefore, they may be exploited to gain access to the networks to which they provide access.

CF: What sort of damage could result from exploiting these VPN vulnerabilities?

NE: The affected VPN-based remote access solutions are used primarily to provide offsite personnel with access to OT networks within industrial enterprises and critical infrastructure – including oil and gas, water utility and electric utility providers – where secure connectivity to remote sites is critical. Successfully exploiting the vulnerabilities would give an attacker direct access to OT field devices and the ability to inflict physical damage to them; for example, shutting down or otherwise disrupting production.

CF: What aren’t organizations doing that they should be doing to protect themselves from these VPN vulnerabilities?

NE: Many organizations don’t realize the unique risks of enabling remote access for OT, as opposed to IT. While the security features of most VPNs make them generally well-suited and secure for IT remote access, such features tend to be …

… less comprehensive than the stringent role- and policy-based administrative controls and monitoring capabilities required to secure OT remote access connections and minimize the risks introduced by employees and third-parties. Organizations need to evaluate remote access solutions that support the full spectrum of needs and use cases required for OT network administrators.

CF: What can MSSPs and other cybersecurity providers do to help protect organizations from these types of threats?

NE: First of all, patch! The vendors did an amazing job of providing patched/fixed versions, so customers are encouraged to find and patch any vulnerable product and software. That said, we would also suggest monitoring the remote access solution for any abnormal activity. Remotely authenticated users are better than unknown sources accessing your network. But you should always monitor your users’ activity for abnormal behavior. This approach is important, especially with this grade of remote access solutions that provide access to critical OT networks.

CF: Are we likely to see more of these types of VPN vulnerabilities as work from home continues? If so, why?

NE: Yes. In recent weeks we have seen numerous vulnerabilities published on popular remote access solutions. We expect that in the COVID-19 reality of working from home, the increased use of these platforms will drive increased interest both from the operational side, as they become more process-critical, and from the security side, as they become more common. Denial-of-service (DoS) attacks on these components of the enterprise infrastructure could potentially emerge as a new tactic used by financially motivated attackers.

Netwrix: IT Skills Shortage Shifting Organizations’ Priorities

A new report by Netwrix shows a majority of organizations remain concerned about security related matters, but now have to do more with less.

The 2020 Netwrix IT Trends Report: Reshaped Reality summarizes feedback from more than 900 IT professionals worldwide about the projects they are planning for the rest of the year. The online survey looks at organizations’ changing IT priorities since a similar survey late last year.

At the end of 2019, data security was the No. 1 priority and it remains there now. Three in four (76%) organizations name it as one of their IT projects for the rest of 2020.

Network security tied for the top slot due to the rapidly growing remote workforce. Education of IT staff has increased from 19% to 31%. That suggests organizations are struggling to address these key concerns amid the global IT skills shortage.

Cloud migration and innovative IT projects quickly became less important for most organizations during these uncertain times.

Other findings discovered by the survey include:

  • One in three (36%) respondents plans to prioritize investment in automation of IT tasks.

  • Interest in cybersecurity awareness remains high, with just over half of respondents listing it as a priority in both surveys.

  • Thirty-eight percent of CIOs and IT directors now plan to invest in IT personnel education. Pre-pandemic, only 20% had it among their top five priorities.

  • Only one in four (25%) organizations in the United States plan to focus on cloud migration projects. That’s down from 40% pre-pandemic.

  • More than one in four (28%) respondents will prioritize digital transformation. However, interest varies a great deal by sector. For example, interest by public institutions has more than doubled.

  • The previous survey found only a few organizations were going to focus on AI projects. And that number is even less now.


Netwrix’s Ken Tripp

Ken Tripp is Netwrix’s director of channel accounts.

“The survey revealed many organizations struggle to withstand the ever-growing cyber threats, with so many employees working remotely. That is why network and data security are the major priorities,” he said. “What has changed is …

… that [the] IT skills shortage became a pressing issue. It has always existed, but when the circumstances changed, it could no longer be ignored. Most hiring processes are on freeze, so organizations cannot expect to fix the issue quickly by employing experienced staff. This resulted in the growing need for the education of IT employees.”

For the most part, those who needed the cloud have already migrated, Tripp said. And the pandemic was a great opportunity to finish these projects.

“It seems that new cloud migration projects are currently on hold for many organizations due to other priorities such as data and network security,” he said.

Tripp sees a great opportunity for channel partners and MSPs who can offer professional services and address burning cybersecurity needs right now.

“Partners that will be positioning themselves as a team member that one can rely on will have more chances to fulfill their customers’ needs,” he said. “I advise them to offer data and network security packages that help organizations improve data access controls and visibility into configuration changes of network devices.”

The knowledge that partners have received from vendors will allow them to provide a decent level of expertise, Tripp said.

“Service providers should leverage their existing partnerships and create new ones to widen their cybersecurity offerings,” he said. “All organizations are challenged by the evolving threat landscape that requires protective measures to be taken right now. Unfortunately, no one has the luxury of time.”

Cheers to You, Hacker

It was revealed this week that alcohol delivery service Drizly is the latest victim of a data breach. Data and password hashes of 2.5 million users are now for sale on the dark web.

The hacker got customer email addresses, dates of birth (DOBs), hashed passwords and some delivery addresses. But there was good news. Drizly said the bad actor got no financial information, including credit or debit card information.

Drizly also said the investigation is ongoing, and “we have engaged a cyber security firm to help us identify all affected parties.”

Similar breaches have hit food delivery services recently, including Instacart and Doordash

Peter Klimek is director of technology at Imperva.


Imperva’s Peter Klimek

“Drizly’s breach notification contains very little concrete information about the attack vector itself,” he said. “But the combination of email addresses, physical and IP addresses, phone number and hashed passwords indicates that this was a full database compromise. While organizations often prioritize edge security controls, such as a web application firewall (WAF) and distributed denial of service (DDoS) mitigation to protect their websites and applications, they often overlook the security of their database servers, which leaves them susceptible to attack from malicious or compromised insiders. Without additional information, we can only speculate on the root cause. But a proper defense-in-depth strategy needs to ensure that all potential threat vectors are addressed to prevent these types of data breaches from occurring.”

Organizations that store and process sensitive data need a comprehensive information security strategy that prioritizes data protection, Klimek said.

“While there are many industry-specific regulations to choose from, newer organizations are typically best served by …

… following a risk management framework like NIST 800-53, as it is most applicable to every organization and data type,” he said. “Additionally, database security controls, such as auditing all access to sensitive data and alerting on excessive data access are critical controls to identifying these attacks in real time. Finally, even with these active controls in place, a common source of data breaches can be through offline backups or replicas used for development and testing. Applying these controls according to data sensitivity ensures adequate protection measures are taken into account even when working with non-production environments.”

The biggest lesson for organizations, and the MSSPs and cybersecurity providers that support them is that a comprehensive information security strategy is mandatory when organizations deal with sensitive data, Klimek said.

“For small businesses and startups looking to collect this information, they must adequately prepare to budget for the controls and personnel required to protect this information before they make the business decision to collect the information,” he said. “It is all too often that organizations discover this reality after the fact. The cost of a data breach greatly exceeds the cost of developing and implementing a comprehensive information security program.”

Saryu Nayyar is CEO of Gurucul, which provides unified security and risk analytics.


Gurucul’s Saryu Nayyar

“The reported Drizly data breach is interesting for what it shows about attacker dwell time, the time between an initial breach and the victim noticing it,” she said. “The stolen data has been available on the dark web since mid-February. But Drizly only identified the breach on July 13 and reported it to customers on July 28. That is a two-week delay between identifying the breach and informing affected customers. More importantly, indications are the [hacker] had access to Drizly’s systems for six months, at least, before they were identified.”

Dwell time has been going down for the last several years, Nayyar said. But this shows it’s still far too high, she said.

“Tools exist that can reduce dwell time substantially. But organizations need to be proactive about adding them to their security suites,” she said.

NetEnrich Attack Surface Intelligence

NetEnrich, a resolution intelligence company, has unveiled an integrated threat and attack surface intelligence offering. It helps enterprises reduce their digital brand exposure while overcoming skills gaps.

Knowledge Now (KNOW) is a free global threat intelligence tool. It combines with Attack Surface Intelligence (ASI) to deliver context for faster response to known and emerging cyber threats.

KNOW and ASI address the growing risk and alert fatigue that IT and SecOps professionals face on a daily basis, NetEnrich said.

ASI lets security teams continuously see what adversaries see as they target the brand online and via their shadow IT. KNOW lets defenders learn about, search and gain context into malicious activity up to 15 times faster.


NetEnrich’s Justin Crotty

Justin Crotty is NetEnrich’s senior vice president of channels.

“Many MSPs are looking to build out their cybersecurity practices, but they face the same challenges as enterprises, like trying to scale their infrastructure while having to spend countless cycles chasing alerts and staying up on the latest attacks,” he said. “Any new intelligence to help prevent customer issues and reduce Tier 2 analyst cycles is a huge advantage, especially now. Integrating threat and attack surface intelligence and combining that [with] an established security operations center (SOC) as a service from one company can deliver exponentially faster resolutions while giving customers peace of mind.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like