Rogue VPN servers used to spread malware via malicious updates

An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.

(Image credit: Getty Images)

Researchers from AmberWolf find two flaws in popular VPN products
Flaws can be abused to get the VPNs to connect to malicious servers
The servers can use the connection to steal login credentials, drop malware, and more

Hackers have been using compromised VPN servers to steal sensitive information from connected VPN clients, security researchers are warning.

Earlier this year, cybersecurity experts from AmberWolf discovered criminals were tricking people into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to VPN servers under their control.

The criminals were using malicious websites, or documents in social engineering and phishing, to get people to connect.

Fixing the problem

Since the vulnerable VPN clients fail to properly authenticate or verify the legitimacy of the VPN server, attackers get to impersonate trusted servers, and are allowed several malicious actions, including stealing the victims’ login credentials, running arbitrary code with elevated privileges, installing malware through software updates, and more.

AmberWolf named the vulnerabilities “NachoVPN”, and reported them to the respective organizations.

On SonicWall’s side, the bug was tracked as CVE-2024-29014, and was fixed in July 2024, while on Palo Alto Networks’ side, it was tracked as CVE-2024-5921, and was addressed in November 2024.

The first clean version of NetExtender Windows is 10.2.341. For Palo Alto, users should either install GlobalProtect 6.2.6, or run their VPN client in FIPS-CC mode.

Besides reporting the bugs to SonicWall and Palo Alto Networks, AmberWolf also shared an open-source tool, also called NachoVPN, which simulates the attack, BleepingComputer has found.

"The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered," AmberWolf said.

"It currently supports various popular corporate VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure," the company concluded in its announcement.

Via BleepingComputer

Zyxel VPN security flaw targeted by new ransomware attackers
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.