虚拟专用网孔提升远程访问风险

在COVID-19与更多的人在家工作之后，影响虚拟专用网络（VPN）实现远程代码执行漏洞，主要用于提供给操作技术进行远程访问（OT）网络已经变得更为清晰。

这些专用远程访问解决方案主要集中在工业控制系统（ICS）工业，以及它们的主要用途的情况下是提供维护和监控现场控制器和设备，包括可编程逻辑控制器（PLC）和输入/输出（IO）设备。这样的溶液典型地部署在网络的外层边界在普渡模型中的第5级，并提供接入到位于1/0水平现场控制器和设备。利用这些漏洞可以让攻击者在现场设备的直接访问，并造成一定的物理伤害。

脆弱的产品广泛用于在基于场的行业，如石油，天然气，水公用事业和电力公司，其中安全连接与远程站点是至关重要的。除了网站之间的连接这些解决方案也可以用来启用远程运营商和第三方厂商拨入客户网站，并提供维护和监控的PLC和其他级别1/0的设备。这种接入已经成为最近几个月特别是优先由于COVID-19的新的现实。

为了更好地了解这些漏洞的利用和能够做些什么来防止这种攻击所带来的风险，该Claroty研究团队广泛测试的几个流行的远程访问解决方案的安全态势。亚洲必赢以下是研究结果：亚洲必赢

Remote access servers

脆弱的远程访问服务器可以作为非常有效的攻击面的威胁者瞄准的VPN。这些工具允许客户通过一个加密的隧道到服务器连接。然后，服务器转发所述通信进入内部网络。这意味着服务器是网络中的关键资产 - 因为它已经在网上一“腿”，向所有人开放，以及安全，内部网络中的一个“腿” - 超越了所有的周边安全的措施。因此，获得对它的访问允许攻击者不仅能查看内部的交通也沟通，好像他们是在网络中的合法主机的。

In recent years, there has been a shift toward cloud-based remote access solutions, which typically enable rapid deployment and reduce cost. Usually, they also offer white-labeled solutions that large-scale companies can purchase to have their own personal cloud while the underlying software is exactly the same. Thus, finding bugs in one instance could mean that all other instances would be affected, too.

Remote network connections

其中一个ICS行业的一大挑战是远程站点和在SCADA /数据采集服务器位于主数据中心之间的安全连接。最近一个时期，我们已经看到，其中面向Internet的ICS设备已被直接访问，而无需任何凭据多个事件;这种威胁最近一直解决在CISA警报。为了避免这样的场景,multiple ICS VPN solutions exist that are able to make these remote connections between site and central in a secure manner.

Client control

Another prevalent attack surface for targeting VPNs is the client. Gaining control of an authorized user’s computer grants attackers access to that user’s VPN credentials, as well as those for other employee accounts that could enable the adversary to penetrate and further expand their foothold within the organization’s internal network without needing to tackle the server instance.

网络安全威胁趋势

远程访问趋势：In recent weeks we have seen numerous vulnerabilities published on popular remote access solutions. We expect in the COVID-19 era of working from home, the increased use of these platforms will drive increased interest both from the operational side, as they become more process-critical, and from the security side, as they become more common. Denial-of-service (DoS) attacks on these components of the enterprise infrastructure could potentially emerge as a new tactic used by financially motivated attackers.

ICS勒索：高级持续性威胁（APT）的活动正在兴起，我们已经看到，从广泛影响，主要是不分皂白的袭击，以非常具体的有针对性的攻击，这次活动的转变。OT已经在最近几个月显著的焦点，作为勒索集团的主要目标，并且这种攻击已经主要集中在信息技术OT网络，如人机界面（HMI）和工程工作站（IT）组件。

Leveraging vulnerabilities in edge devices can provide these groups with direct access to ICS devices and key target areas, which when taken over could potentially yield the most benefit for these attackers’ business model. A good example of attackers using this exact tactic is the recent Honda attack. (本田表示，其内部的一台服务器在外部攻击。它补充问题是影响其访问其计算机服务器，使用电子邮件和其他方式使用其内部系统的能力。它补充说：“这种病毒具有传播”在其整个网络，但没有提供进一步的细节。汽车巨头感受到了EKANS，或SNAKE落后，勒索软件的影响。）

网络钓鱼活动：Claroty has been focusing on client-side attacks due to the increase in APT activity targeting OT networks leveraging phishing campaigns as an attack vector. The main focus of our research in this area is to find vulnerabilities and exploits targeting OT-relevant clients, as shown through attacks on VPN clients.

These vulnerabilities reinforce the unique risks inherent to OT remote access. While the security features of most VPNs make them generally well-suited and secure for IT remote access, such features tend to be less comprehensive than the stringent role- and policy-based administrative controls and monitoring capabilities required to secure OT remote access connections and minimize the risks introduced by employees and third-parties.

This content originally appeared onISSSource.com。ISSSource是CFE媒体内容合作伙伴。