Rogue VPN servers spread malware via malicious updates

By James On Nov 27, 2024

AmberWolf researchers discover two flaws in popular VPN products
Flaws can be exploited to allow the VPNs to connect to malicious servers
The servers can use the connection to steal credentials, plant malware, and more

Hackers are using compromised VPN servers to steal sensitive information from connected VPN clients, security researchers warn.

Earlier this year, cybersecurity experts at AmberWolf discovered that criminals were tricking people into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to VPN servers under their control.

The criminals used malicious social engineering and phishing websites or documents to get people to connect.

Solve the problem

Because the vulnerable VPN clients fail to properly authenticate or authenticate the legitimacy of the VPN server, attackers can impersonate trusted servers and perform various malicious actions, including stealing the login credentials of the victims, executing arbitrary code with elevated privileges, installing malware via software updates, and more.

AmberWolf named the vulnerabilities “NachoVPN” and reported them to the relevant organizations.

On the SonicWall side, the bug was tracked as CVE-2024-29014 and was fixed in July 2024, while on the Palo Alto Networks side, it was tracked as CVE-2024-5921 and was fixed in November 2024.

The first clean version of NetExtender Windows is 10.2.341. For Palo Alto, users must install GlobalProtect 6.2.6 or run their VPN client in FIPS-CC mode.

In addition to reporting the bugs to SonicWall and Palo Alto Networks, AmberWolf also shared an open-source tool, known as NachoVPN, that simulates the attack. BleepingComputer has found.

“The tool is platform agnostic, able to identify different VPN clients and tailor its response based on the specific client connecting to it. It is also extensible and encourages community contributions and the addition of new vulnerabilities as they are discovered,” said AmberWolf.

“It currently supports several popular business VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect and Ivanti Connect Secure,” the company concluded in its announcement.

Via BleepingComputer