Your Corporate VPN Is Not Your Friend

By Carrie Landry, Rubica

Your corporate VPN is being used against you. Dark spiders hide on the web, listening for the unique digital thrumming of a user logging onto the corporate VPN. This digital signature tells them that you’re a remote worker and that someone values company data enough to protect it with a leaky tunnel. So, they wait for you to turn it off and watch Netflix or check your email—then they strike and quietly infect your device with venom. You don’t even know they’re there until you turn the corporate VPN back on and the malware knows it’s time to deploy. And at that point it’s too late.

New criminal cartels on the rise

It’s bad enough that CISA and the FBI issued a joint alert a few weeks ago, warning that hackers (particularly from Iran) were targeting workers using a corporate VPN across several industries: IT, government, healthcare, financial, insurance, and media sectors across the United States. And they’re not the only ones: this summer Sodinokibi started launching its REvil ransomware aimed at corporate VPN users across the globe. For Sodinokibi, the infection is just the starting point as they auction sensitive company secrets to competitors—or just the highest bidder.

Then there’s Evil Corp, who reaches out to its victims with a perfectly-packaged email—but Darkside makes the shakedown so elegant and easy to solve with a click that you’re tempted to pay them off just to relieve the headache. The attack starts when they know you're using a corporate VPN, using mass-scanning and tools like Nmap to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network.