National Security Agency warns that VPNs could be vulnerable to cyberattacks
The National Security Agency issued a new cybersecurity advisory on Thursday, warning that virtual private networks, or VPNs, could be vulnerable to attacks if not properly secured. The agency's warning comes amid a surge in telework as organizations adapt to coronavirus-related office closures and other constraints.
A VPN allows users to establish private, encrypted connections to another network over the internet. They are used widely by corporations and other organizations to protect proprietary data from hackers while employees work remotely.
A senior NSA official who briefed reporters Wednesday said the increase in remote work had attracted the attention of potentially malicious cyber actors.
"We certainly see adversaries focused on telework infrastructure," the official said. "We've seen exploitation and as a result, have felt that this was a product that is particularly helpful now."
VPN gateways in particular are "prone to network scanning, brute force attacks, and zero-day vulnerabilities," the NSA's advisory said. "[N]etwork administrators should implement strict traffic filtering rules to limit the ports, protocols, and IP addresses of network traffic to VPN devices."
The senior official said the NSA, whose employees deal daily with highly classified materials and systems, had taken its own steps to adapt to the pandemic, reducing some of its workforce to "mission-essential" for several weeks and introducing social distancing measures within its outposts.
The advisory was issued by the agency's Cybersecurity Directorate, which launched last October. Its mandate involves reinvigorating a set of missions the NSA has long had — protecting government and private sector systems — by accelerating, broadening and "operationalizing" its dissemination of unclassified threat information, according to officials.
The directorate has now issued over a dozen public advisories since its launch. In October, it warned that nation-state actors were targeting VPN devices. In January, it was behind the disclosure of a "critical vulnerability" in Microsoft's Windows 10 software — something the agency might have once exploited, instead, as a hacking tool. And in May, in another rare move, it named a Russian military hacking unit that was secretly accessing commonly used email software.
"Attribution is always interesting," the senior NSA official said Wednesday. "We do it if we believe it creates a sense of urgency to address a vulnerability."
The directorate's emphasis on information-sharing stems from a recognition that nation states are getting more aggressive and more sophisticated in going after government and non-government targets. Its leadership has said it is also a conscious effort to move away from stubborn perceptions that the agency is a secretive black box — or "No-Such-Agency," as the NSA has been labeled. (Its foreign intelligence mission — which involves intercepting signals and communications overseas — is likely to continue avoiding the public eye.)
The agency has also broadened its presence on social media, launching an Instagram account, a dedicated Twitter account for the directorate, and even bringing its notoriously circumspect director to the platform. (Paul Nakasone has tweeted three times in three weeks.)
"General Nakasone has looked at the environment and said, 'We see adversaries increasingly using cyber to achieve national security objectives below the level of armed conflict,'" the senior official said. "'We're seeing rapid technological change, which just brings in a whole new set of vulnerabilities.'"
"It led him to say, 'We really need to up our game.'"