NachoVPN: New Attack Strategy Exploits VPN Vulnerabilities for Malicious Activities

November 26, 2024

A recently discovered set of vulnerabilities, collectively referred to as 'NachoVPN', allows rogue VPN servers to install harmful updates when unpatched VPN clients from Palo Alto and SonicWall connect to them. The vulnerabilities were discovered by security researchers from AmberWolf. These threat actors can manipulate unsuspecting targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to malicious VPN servers. This can be achieved through the use of malevolent websites or documents in phishing or social engineering attacks.

Once a victim's VPN client is connected to a rogue VPN server, the threat actors can steal login credentials, execute arbitrary code with escalated privileges, install malicious software through updates, and initiate man-in-the-middle or code-signing forgery attacks by installing harmful root certificates.

In response to the NachoVPN vulnerabilities, SonicWall issued patches for the CVE-2024-29014 NetExtender vulnerability in July, two months after the initial report in May. Palo Alto Networks, on the other hand, released security updates for the CVE-2024-5921 GlobalProtect flaw. This release came seven months after the company was first notified of the flaw in April and nearly a month after AmberWolf publicly shared details of the vulnerability at SANS HackFest Hollywood.

To mitigate the security flaw, SonicWall advises its customers to install NetExtender Windows 10.2.341 or higher versions. Palo Alto Networks suggests running the VPN client in FIPS-CC mode as a potential mitigation strategy, in addition to installing GlobalProtect 6.2.6 or later, which addresses the vulnerability.

AmberWolf disclosed additional details about these vulnerabilities on Tuesday and introduced an open-source tool called NachoVPN. This tool simulates rogue VPN servers that can exploit these vulnerabilities. 'The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered,' AmberWolf explained.

NachoVPN supports various popular corporate VPN products, including Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure, according to its GitHub page. AmberWolf also released advisories providing more technical information about the SonicWall NetExtender and Palo Alto Networks GlobalProtect vulnerabilities. These advisories provide detailed attack vector information and recommendations to help network defenders guard against potential attacks.

Latest News

• Critical Authentication Flaw in ProjectSend Exploited by Hackers
• Russian APT 'RomCom' Exploits Zero-Day Vulnerabilities in Firefox, Tor
• GhostSpider: New Addition to Salt Typhoon's Malware Toolkit
• Critical Vulnerability in Array Networks SSL VPN Products Exploited by Hackers
• Zyxel Firewalls Exploited in Recent Ransomware Attacks