Virtual Private networks are used to remotely connect to the internet through a secure tunnel.[^6] VPNs are built on top of publicly-accessible infrastructure.[^1] They use encryption and have strong user authentication.[^1] A VPN is a form of a WAN.[^1] A VPN supports intranet services and remote access.[^1]
The VPN service encrypts the data before sending it in an IP packet.[^1] VPNs can use different tunneling protocols.[^1] A VPN is a form of OPSEC for information.[^1] The most secure VPN is from individuals that you trust, rather than a company.[^1] Some VPN providers keep track of your source and destination IP, so be careful when choosing VPN services.[^2]
Some VPN services do not store logs and accept anonymous payments.[^3] Threat actors can use credentials and known vulnerabilities on public-facing VPN applications to elevate privileges and execute remote code.[^4] VPN servers that are unused should be discontinued to reduce the attack surface.[^4] Organizations must implement multi-factor authentication for their VPNs.[^5] Multi-factor authentication should be enabled on all VPN connections for increased security.[^6]
Adversaries can exploit vulnerabilities to harvest credentials, execute remote code on VPN devices, weaken the encryption of traffic sessions, hijack the encrypted traffic sessions.[^5] All VPNs used in corporate networks should use FIPS-validated cryptographic modules.[^6] it may be impossible to detect intrusions into a VPN device if the integrity of the device cannot be validate.[^6] The VPN device should use a signed boot process for firmware images, a secure boot process for verifying boot code before it runs.[^6] IKE/IPsec VPNs should only allow UDP ports 500 and 4500 as well as the Encapsulating Seucurity payload.[^6]
SSL/TSL VPNs should only allow TCP port 443.[^6] You should also use a whitelist of known VPN IP addresses and block all others.[^6] VPN services provides a secure, encrypted connection into a server or network.[^6] A Voice over IP call may have difficulties with a VPN, but using a dedicated Static VPN server eliminates this issue. A VPN creates a secure tunnel between two point son the internet.[^9] The most widely-used VPN protocols are Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol Security (Ipsec).[^9]
VPNs became a main attack vector for cybercrime groups, ransomware groups, and other state-sponsored actors.[^10] It can be difficult to identify and block attackers that enter through remote communication tools.[^10] infiltrating systems using VPNs is more cost effective than direct attacks on defensive computer networks.[^10] Organizations should use VPN services that keep logs on non-erasable media.[^10] You can’t split a TCP handshake to create a man-in-the-middle attack if the connections are wrapped in a VPN.
[[IPSec Tunneling Protocol]]
[[PPTP Tunneling Protocol]]
[[L2TP Tunneling Protocol]]
[[Tor]] – you should always use a VPN when connecting to Tor
[[Securing VPN gateways]]
[[HideMe]] – VPN provider
[[Sonic Wall Secure Mobile Access 1000 VPN Vulnerability]]
[[Volt Typhoon]] – gained access via zero-days on VPNs
[[Sonic Wall Firewall Vulnerability]] – allows for sending a crafted session cookie
[[Cyber “Living off the Land”]]- uses VPNs to connect to victim systems
[[Express VPN with Qubes OS]] – how to install a VPN with qubes
[[ExpressVPN]]
[[KV Botnet]] – botnets can use vulnerable VPNs as hop-points to move against their main targets
[[Multi-Factor Authentication]] – you should use 2FA with VPN services
[[Detecting WebShells]] – IP addresses with few requests coming from a VPN or proxy may indicate an attack
[[2021 PrintNightmare MFA Attack]] – Moved laterally through compromised VPN credentials
[[SVR Zero-Day VPN Vulnerability]] – The SVR used a zero-day in a VPN appliance to gain access to a network
[[Colonial Pipeline Attack]] – was attacked through an old VPN
[[Mullvad VPN]]
[[IPSec Tunneling Protocol]] – good idea to use IKEI or IPSEC
[[Internet Key Exchange]]
[[Software Bill of Materials]] – used to assess the underlying risk of software that uses third-party modules
[[JP Morgan Chase Cyberattack]] – compromised employee used a VPN to access the corporate network.[^8]
[[Hidden API Endpoints]] – can expose location from nearby WiFi networks even if someone is using a VPN
[[Internet Gateway Device (IGD)]] – can be used to De-anonymize VPN users
[[Operation Cleaver]] – compromised VPN credentials
[[UNC1860]] – targeted VPN servers in the Middle East
[[Fraudulent North Korean IT Workers]] – used a corporate VPN
[[PIA VPN]] – gives a dedicated VPN address
[[De-Anonymizing Android Users]] – Meta can de-anonymize users that are using a VPN
[[APT28]] – uses VPNs in credential guessing campaigns
[[Whonix with VPN]] – you can use Whonix with a VPN, just be sure to tunnel whonix through the VPN connection and not the other way around
[[Pioneer Kitten]] – would exploit VPN servers
[[Tailscale VPN]] – used by fraudulent north korean threat actors
[[Fake Mossad Job Recruitement]] – phishing sites were served to iranians that were using VPNs
[[Salt Typhoon]] – targeted VPN devices
[[SecurityKiss]] – Irish VPN
[[Kimsuky Data Breach]] – leaked VPN purchases
[[IKE]] – don’t use the default IKE policies
[[Fox Kitten]] – exploited vulnerabilities in VPN devices
[[Cell Phone OPSEC]] – use an IPSec VPN when in a foreign country
[[Expedition Cloud]] – a phone app connects to each worker node with a VPN
[[wireguard]] – VPN protocol
[[Cayman National Bank Hack]] – hacker developed exploit tools for a popular VPN
[[Point-to-Point Security]] – should use IPsec VPNs
[[OPNSense]] – allows for VPN
[[Firewall]] – firewalls support VPNs
[[Volt Typhoon LOTL]] – used VPN to securely connect to victim machines
Backlinks
[[Encryption]]
[[IP]]
IP Addresses
[[Securing VPN Gateways]]
[[Wide Area Network]]
Sources
[1] “An Introduction to TCP/IP”.
[2] “[TOR] Dread – There is One and Only One Rule in OpSec – Tutorials & Guides,” Closed Network Podcast Forum. Accessed: Feb. 09, 2025. [Online]. Available: https://forum.closednetwork.io/t/tor-dread-there-is-one-and-only-one-rule-in-opsec/91
[3]privacysavvy[^3]
[4] “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology,” IC3, AA22-047A, Feb. 2022. [Online]. Available: https://www.ic3.gov/CSA/2022/220217.pdf
[5] HHS_hc3-top-10
[6]NSA_HardeningVPN
[7]justice_1327601
[8]sanog_orgThreatHunting[^8]
[9] “Inside the NSA’s War on Internet Security,” Dec. 28, 2014. [Online]. Available: https://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
[10] “Fox Kitten Campaign.” Feb. 2020. [Online]. Available: https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf