Hackers Exploiting SSL VPNs: Time to Switch, Says Norwegian NCSC

The Norwegian National Cyber Security Centre (NCSC) strongly advises organizations to replace SSL VPN/WebVPN with more secure alternatives due to the frequent exploitation of vulnerabilities in network devices. This measure aims to protect corporate networks from breaches and other cyberattacks.

NCSC emphasizes the necessity of completing the transition to new solutions by 2025. For organizations governed by the “Security Act” and critical infrastructure, the deadline is shortened to the end of 2024.

NCSC recommends replacing SSL VPN/WebVPN products with IPsec solutions using IKEv2. Unlike SSL VPN/WebVPN, IPsec with IKEv2 provides a higher level of security by encrypting and authenticating each data packet, thereby reducing the likelihood of successful attacks.

TunnelVision

Advantages of IPsec with IKEv2

SSL VPN and WebVPN provide secure remote access to networks via the internet using SSL/TLS protocols, creating an encrypted tunnel between the user’s device and the VPN server. However, frequent vulnerabilities in these protocols make them less reliable.

While IPsec with IKEv2 also has its drawbacks, NCSC assures that transitioning to it will significantly reduce the attack surface for remote access incidents due to its lower susceptibility to configuration errors compared to SSL VPN.

NCSC Practical Recommendations

For a successful transition to IPsec with IKEv2, NCSC proposes the following steps:

  • Reconfigure or replace existing VPN solutions;
  • Migrate all users and systems to the new protocol;
  • Disable SSL VPN functionality and block incoming TLS traffic;
  • Use certificate-based authentication.

In cases where IPsec connections are not possible, NCSC suggests using broadband 5G connections.

For organizations whose VPN solutions do not support IPsec with IKEv2 and require time for planning and migration, NCSC offers temporary recommendations. These include centralized VPN activity logging, strict geographical restrictions, and blocking access to VPN providers, Tor exit nodes, and VPS providers.

Similar recommendations for using IPsec over other protocols have also been issued in the USA and the UK. Various vulnerabilities in SSL VPN implementations discovered in recent years in products from Cisco, Fortinet, and SonicWall are actively exploited by hackers to breach networks.

For instance, in February, Fortinet reported that Chinese hackers used two FortiOS SSL VPN vulnerabilities to breach organizations, including the Dutch military network. In 2023, ransomware operations using Akira exploited an SSL VPN vulnerability in Cisco ASA routers to compromise corporate networks, steal data, and encrypt devices.