Think VPNs give users safe passage? Hackers are now attacking rogue VPN servers to spread malware

The sense of security offered by VPNs might not be as foolproof as it seems. Cybersecurity experts are now warning that hackers have turned their focus to compromised VPN servers, using them to steal sensitive information from unsuspecting users.  

This alarming trend underscores the vulnerabilities lurking within widely used VPN clients. Earlier this year, researchers at AmberWolf discovered that criminals were targeting popular VPN clients like SonicWall NetExtender and Palo Alto Networks GlobalProtect.

How hackers lure users into the trap

Using phishing techniques and social engineering, attackers tricked users into connecting to rogue VPN servers under their control. Malicious websites and cleverly disguised documents served as bait, convincing victims to establish connections that would ultimately compromise their systems.

Once connected, users unknowingly handed over access to their VPN clients, allowing attackers to impersonate trusted servers. This opened the door to a range of malicious activities, including the theft of login credentials, installation of malware, and even executing arbitrary code with elevated privileges. The root of the problem lay in certain VPN clients failing to properly authenticate the legitimacy of the servers they connected to.

More from Tech

How ChatGPT is becoming everyone’s BFF and why that’s dangerous America ready for self-driving cars, but it has a legal problem

Vulnerabilities exposed

AmberWolf identified the security flaws and dubbed them “NachoVPN.” These vulnerabilities were reported to SonicWall and Palo Alto Networks, prompting swift action. The flaws were officially tracked as CVE-2024-29014 for SonicWall and CVE-2024-5921 for Palo Alto Networks. SonicWall patched the issue in July 2024, with the first secure version of NetExtender for Windows being 10.2.341. Palo Alto Networks followed suit in November 2024, advising users to upgrade to GlobalProtect 6.2.6 or activate FIPS-CC mode for enhanced protection.

AmberWolf also developed an open-source tool, aptly named NachoVPN, to simulate the attack. The tool not only demonstrates how the vulnerabilities work but also serves as a resource for researchers to identify additional security gaps. It supports various VPN clients, including Cisco AnyConnect, Ivanti Connect Secure, and the affected SonicWall and Palo Alto clients.

How to stay safe

The NachoVPN tool highlights the evolving threat landscape where even trusted security solutions can become attack vectors. AmberWolf emphasised that the tool is platform-agnostic and adaptable, encouraging the cybersecurity community to collaborate in addressing emerging vulnerabilities.

For users, this incident is a stark reminder to stay vigilant. Regular updates to VPN software and cautious behaviour online are essential to avoid falling victim to such sophisticated attacks. As hackers get more creative, staying ahead of threats requires both technological defences and user awareness.

Editor’s Picks

1

Fake wedding invitations shared over WhatsApp, emails are Indian scammers' favourite new tool 2

Microsoft urges Donald Trump to take tougher stance against cyberattacks from Russia, China, Iran