Key Points

  • Organizations have transitioned to remote and global operations, increasing reliance on virtual private networks (VPNs) for secure access. This shift, however, has expanded their external attack surface.
  • Public exposure of VPNs invites internet-based attacks like system fingerprinting and account discovery.
  • Attackers can access credentials through initial access brokers, past breaches, malware, and online information, among other methods.
  • Threat actors target VPN vulnerabilities and inadequate controls to infiltrate systems and perform activities like reconnaissance and lateral movement.
  • Implementing layered security or adopting the Zero Trust framework can strengthen VPN security beyond traditional perimeter defenses.

ReliaQuest has recently observed widespread exploitation of vulnerabilities in publicly accessible virtual private networks (VPNs) in incidents spanning sectors and geographies. Once attackers gain initial access and compromise systems, they can conduct network or account discovery, brute forcing, or lateral movement. This Threat Spotlight report provides insights into understanding your VPN attack surface, common threat actor techniques, defense recommendations, and how ReliaQuest can support your mitigation efforts.

Defining VPN Technology

VPN, a popular method for encrypting transmitted data, secures connections and supports a flexible hybrid workforce. VPN’s popularity—around 45% of the ReliaQuest customer base ingests remote access logging—has led to the availability of multiple providers (e.g., Big-IP by F5, Cisco AnyConnect, Fortinet FortiClient, and Palo Alto GlobalProtect) and implementation types, including:

VPN Description Description
Site-to-Site VPN Helps establish a link between two or more networks, e.g., a main organizational network and any satellite offices.
Cloud VPN Also known as “hosted” or “VPN as a service.” Allows users to access resources, data, and applications in the cloud via a web interface or dedicated application.
Remote Access VPN Allows off-site users to securely connect to an organization’s network and access applications or information. Usually requires software to be installed on the connecting device.
Secure Sockets Layer (SSL) VPN Similar to a remote-access VPN, but uses web browsers instead of specialized VPN client software on users’ devices, making it more accessible. Includes SSL portal and SSL tunnel VPNs.

As the increased popularity and widespread adoption of traditional VPNs have exposed the technology’s limitations, alternative and supplementary solutions have arisen, including:

Solution Goals
Zero Trust Network Access Assumes that there is no network edge and aims to reduce an organization’s attack surface by focusing on least-privilege access through continuous validation of security configurations.
Software-Defined Wide Area Network (SW-WAN) Aims to deliver better performance, management, and security across traditional infrastructure and cloud. Can incorporate VPN services.
Secure Access Service Edge An architecture model that aims to converge networking and security capabilities such as SW-WAN and zero trust.

Understanding the VPN Attack Surface

To assess the attack surface and risk associated with their VPN deployment, organizations should perform a retrospective look into configurations and test expected outcomes. Below, we’ve included some methods from ReliaQuest Threat Research investigations that organizations can use to assess their current posture.

External Attack Surface

VPNs are a gateway to the internal network, so organizations should pay close attention to their external security controls and publicly available information.

Account Review

Does your organization regularly review accounts configured for VPN access?

Accounts that do not need VPN access may still be configured for this purpose. We have observed configured accounts that recorded no VPN activity for several months before being compromised. A better option would be to create specific groups within Active Directory (AD) for accounts authorized for VPN access.

Does your organization audit local accounts?

We have noted configurations that allowed local, non-domain accounts to gain internal access via VPNs. These accounts, often created by internal teams or third-party entities for firewall and VPN device setup or maintenance, may lack proper management and oversight and could remain unmonitored.

Additional Authentication

Does your organization use additional authentication methods such as multifactor authentication (MFA) or certificate-based authentication? Do you review or track accounts not configured to use these methods?

We have investigated dormant accounts within environments that were never disabled after falling into disuse. These accounts often do not have MFA configured, which provides an opportunity for unauthorized initial access.

If your organization does use MFA, does your team understand the risks from techniques like MFA fatigue attacks? Are users encouraged to report anomalous MFA activity?

Although this additional layer of protection is recommended, incomplete deployment of MFA or push notification abuse might lead to bypass attempts like MFA fatigue attacks. The Threat Research team has observed users, bombarded with MFA requests, unwittingly granting access to adversaries. We’ve also witnessed threat actors using social engineering tactics against help desk personnel to reset MFA configurations.

Sensitive Data Exposure

Are help desk phone numbers or password reset links available on your VPN portals? Do you host VPN software downloads within your VPN web portals?

The ReliaQuest Threat Research team has seen VPN login portals that contain help desk information, password reset links, and VPN software download links that have facilitated access attempts for threat actors. Although this information is helpful for remote users, exposing these details introduces risk, and organizations must plan accordingly for related targeting, e.g., social-engineering–based attacks. Some approaches like always-on VPN deployments could also minimize the need for a VPN portal that contains this information.

Internet Exposure

Has your organization configured and audited administrative logins via web portals or SSH? If so, is this access restricted to certain locations? Are configurations consistent across VPN servers/gateways?

If configured incorrectly, VPN implementations may publicly expose administrator web or SSH access accounts to the internet. If possible, avoid allowing access using admin-level accounts, implement controls to limit authorized locations for these accounts, or limit usage to standard-rights accounts. Public exposure of these accounts also subjects these assets to internet-based attacks aimed at harvesting credentials, like brute forcing and account guessing. Such exposure could inadvertently affect other external services, like O365, since compromised credentials linked to a domain account may be reused across different platforms.

Does your organization have a clear understanding of regions allowed for VPN access?

Organizations that operate from one geographic location may not need to allow access from foreign sources. Implementing controls to restrict access attempts from unexpected locations can help reduce the overall attack surface.

Internal Attack Surface

If attackers gain access, it is imperative organizations understand their internal attack surface in order to contain an incident. We’ve observed higher risk of internal access via remote access or SSL VPNs, and as such organizations should ensure that all current VPN controls are in place, review the type of internal access that accounts have across groups, and prevent abuse of this access for actions like discovery.

Site-to-Site VPNs

Does your organization understand the type of traffic allowed between site-to-site VPNs and the resources it can reach?

Before attackers can abuse site-to-site VPN, they must complete some preliminary steps, including initial compromise of a site via other methods. However, it’s important to understand the risk and controls associated with this site-to-site VPN configuration, since it can allow for lateral movement and discovery from a compromised site. Implement a least-privilege approach to limit access to only necessary resources, since access to the entire network is rarely needed. Limit SSH or RDP usage as much as possible and monitor accordingly where it is needed. Consider applying network segmentation for these zones. In some cases, this type of access may be unnecessary if certain applications can be cloud-hosted.

Access Controls

Are there controls in place to restrict access to internal resources from remote access or SSL VPNs? Should these devices or users be allowed to talk to other workstations within the network?

The ReliaQuest Threat Research team has investigated instances of unconstrained access to internal systems from a threat-actor–controlled device after a successful VPN connection, leading to consequences like cyber espionage and double extortion. Ideally, accounts should not be able to attempt remote connections (RDP/SSH) to internal servers from VPN zones. At a minimum, this access should be limited and monitored accordingly.

Common Attack Techniques

Besides understanding your attack surface, it’s important to understand methodologies threat actors can take pre- and post-access when targeting publicly accessible VPNs.

Pre-Access Stages

Discovering VPN Login Portals

By design, VPN devices are exposed to the public internet, making them susceptible to fingerprinting by tools that map and gather information about internet-connected devices and systems, such as Shodan and Censys. A simple query on these platforms can return hundreds, if not thousands, of potential VPN targets for attackers. Once an attacker has passively identified a target, they can quickly pivot to actively assessing the VPN login portals (see Figure 1).

Figure 1: Example login portal for a VPN service

In addition to manual reconnaissance via fingerprinting tools, threat actors might also have access to open-source or custom tools that automate the entire process. For instance, the reconnaissance and exploitation tool Vortex is readily accessible and can be used during multiple stages of attacks, including VPN endpoint detection, account discovery, brute forcing, credential stuffing, and vulnerability exploitation. Such tooling highlights the ease with which even novice cybercriminals can target organizations.

Obtaining Credentials

Security researchers are increasingly highlighting the threat from password spraying attacks. This technique, which has been linked to malware like the Brutus botnet, has targeted SSL VPN devices from various vendors. Investigators have also linked this botnet’s infrastructure to advanced persistent threat (APT) groups such as APT29 (aka NOBELIUM, Cozy Bear, and Midnight Blizzard).

Threat actors use publicly accessible information and credentials exposed in past data breaches for valid-account credential abuse. We have encountered instances where threat actors used credentials obtained via infostealer malware within weeks of their acquisition. Alternatively, adversaries might profit from browser syncs in which users sync configurations from their work device to their personal non-monitored devices that might secretly be affected by infostealing malware.

Organizations may see evidence of these attacker techniques within their event logs through more targeted access attempts or brute forcing against acquired account lists. This action is often automated, and IPs may appear in intelligence feeds such as AbuseIPDB, in which users can file abuse reports against IPs following unwanted activity.

Exploiting Vulnerabilities

Threat actors frequently target VPN devices for exploit development, which has led to the disclosure of multiple high-profile vulnerabilities that allow internal access or on-device actions, including:

CVE Product Description
CVE-2023-46805 Ivanti Connect Secure VPN An authentication-bypass vulnerability, present in the web component of Ivanti ICS versions 9.x and 22.x plus Ivanti Policy Secure, that permits a remote attacker to access restricted resources by circumventing control checks.
CVE-2022-40684 FortiGate SSL VPN An authentication bypass, achieved through an alternate path or channel, that enables an unauthenticated attacker to execute operations on the administrative interface using specially crafted HTTP or HTTPS requests.
CVE-2023-3519 Citrix Netscaler Application Delivery Controller (ADC) and Citrix Netscaler Gateway Unauthenticated remote code execution. Used for dropping web shells that enabled discovery, collection, and exfiltration of Active Directory data along with lateral movement attempts.
CVE-2020-3259 Cisco Adaptive Security Appliance (ASA) AnyConnect A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software that could allow an unauthenticated remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. This vulnerability affects only specific AnyConnect and WebVPN configurations.

Organizations should have internal processes for tracking versions of products deployed, tracking of CVEs applicable to their products, and response plans for any new potential vulnerabilities that might affect their current deployments. These processes should also include plans for potentially taking down these devices for patching or in case of emergencies, understanding of potential impact, who is authorized to perform these actions, and what authorizations are needed. They should also incorporate personnel who can assist with investigative steps like manual checks for web shells, along with any logging and monitoring opportunities for identifying these web shells, and any follow up actions on these devices, including where the connections are coming from.

Post-Access Stage

Network Segmentation

Flaws in configuration can allow threat actors to bypass network segmentation and gain direct access to critical systems like domain controllers. The ReliaQuest Threat Research team has observed adversaries exploiting such unrestricted access for internal discovery, lateral movement, establishing persistence, and credential dumping. In some cases, we witnessed threat actors lying dormant to perform discovery within environments, collecting information on internal networks, valid accounts, accounts’ naming conventions, and available resources. We’ve also observed cases of credential dumping that have led to subsequent VPN access to newly compromised accounts even after remediation actions were applied to the account. The threat actor used this access to conduct further discovery and maintain persistence using techniques including masqueraded process, scheduled tasks, and service installations (including installing tools like Rclone for data exfiltration). Segmenting these networks and restricting the type of allowed traffic from these zones can help organizations minimize their attack surface post-access.


Implementing comprehensive logging measures is crucial in tracking external authentications, identifying compromised accounts, monitoring connected devices, and scrutinizing activities emanating from the VPN-assigned address. We have investigated cases in which threat actors targeted unmonitored hosts during initial access, leading to further unauthorized activities. For example, an adversary executed WinRM commands across various hosts monitored via logging and an EDR solution. While the victim promptly initiated containment and remediation actions, a device unmonitored by EDR and with no logs ingested facilitated additional malicious activities, including tool deployment within the network environment. It’s critical to extend monitoring and protection measures across all network assets and implement a thorough and all-encompassing monitoring strategy to secure the network post-access.

Threat Forecast

Newer architectures and frameworks like Zero Trust aim to further secure remote access by addressing some shortcomings of traditional VPNs. Yet, VPNs remain a staple service for organizations as they facilitate remote access, especially in the global landscape of modern, flexible business operations. Due to their public nature, continued popularity, and inherent vulnerabilities, VPN systems will likely see persistent threats until newer remote access methods are adopted.

What ReliaQuest Is Doing

ReliaQuest’s Digital Risk Protection capability offers continuous deep- and dark-web monitoring, including tracking information like leaked VPN credentials. Additionally, our Threat Research team follows developing threats to VPN solutions and engineers new detections based on known telemetry and observed techniques.

Recommendations and Best Practices

In addition to implementing detection rules and assessing attack surface, defenders can take the following steps to significantly enhance the resilience of their VPN systems against evolving threats.

  • Prioritize patch management: Maintain strong patch management processes to ensure timely updates for VPN products. Establish procedures for emergency patching to swiftly address vulnerabilities.
  • Secure VPN configurations: Ensure VPN devices have strong configurations by restricting access from unauthorized external sources. Regularly review and manage local and disabled accounts, VPN profiles, and encryption levels and safeguard management portals from internet exposure. Security organizations like NIST and VPN providers like Cisco provide best practices and recommendations for some of these configurations and deployments.
  • Enforce access control: Implement access control measures to restrict VPN user access to specific network resources. If “bring your own device” (BYOD) policies are in effect, consider placing these devices in a separate network.
  • Test controls: Test controls to ensure that only the necessary access and traffic is allowed from VPN devices, whether site-to-site or remote access/SSL VPNs. Establish documentation of these controls, policies, and response playbooks.
  • Strengthen authentication: Use robust authentication methods like MFA and device certificate authentication for remote users. When deploying MFA, assess the risks associated with features such as push notifications.
  • Ensure visibility: Make sure your team has the required visibility into access attempts, actions on VPN devices, and any follow-up operations. Ensuring that the entire path—from initial access, internal access, and post-access actions—is properly logged for monitoring, detection, and investigation efforts. This visibility should be used for constant monitoring to verify authenticity of connections being made.
  • Train users: With increasing MFA fatigue and social-engineering-based attacks, provide training to ensure users are aware of these risks.