The VPN Risk Report shows that more than half of companies were affected by cyberattacks via VPN in 2023. According to the Zscaler ThreatLabz Report 2024, 78 percent of companies plan to implement a Zero Trust strategy in the next 12 months.
ThreatLabz VPN Risk Reports 2024: For this study, Cybersecurity Insiders surveyed over 600 IT security, IT and networking professionals. 56 percent of participating companies reported being the target of cyberattacks that exploited security vulnerabilities in VPNs in the past year. These incidents underscore the vulnerability of traditional perimeter-based security compared to a more robust Zero Trust architecture.
Zero Trust instead of VPN solutions
The move to Zero Trust has gained momentum following recent security breaches and critical vulnerabilities in VPNs from two major companies:
Ivanti (CVE-2023-46805 and CVE-2024-21887) – Remote attacks could bypass authentication and inject remote commands.
Palo Alto Networks OS vulnerability (CVE-2024-3400) – Unauthenticated users exploited the security vendor's operating system to infiltrate the network. As a result, the vulnerability received the maximum severity level of 10.
Ivanti's zero-day vulnerabilities prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive for federal agencies to immediately disconnect connections to the compromised VPN devices.
VPN security challenges
VPNs provide traditional remote access to corporate networks, but the growing scale and sophistication of cyberattacks on these networks is a concern for security teams. Of those surveyed, 91 percent expressed concern that VPN vulnerabilities could provide entry points into their IT infrastructure, a concern supported by recent breaches involving outdated or unpatched VPN infrastructure.
"Over the past year, numerous critical VPN vulnerabilities have served as successful entry points for attacks on large enterprises and government entities," said Deepen Desai, CSO at Zscaler. "Given these repeated findings, organizations must prepare for threat actors to increasingly exploit these traditional internet-exposed assets such as appliances and virtual assets, the compromise of which allows attackers to navigate laterally through traditional flat networks. Transitioning to a Zero Trust architecture significantly eliminates the attack surfaces of traditional VPNs and firewalls and helps enforce consistent security mechanisms with TLS inspection. The attack radius can be limited using segmentation and deception, preventing greater damage from security incidents."
VPN vulnerabilities used for attacks
The study identifies ransomware attacks (42 percent), malware infections (35 percent) and DDoS attacks (30 percent) as the top threat vectors that exploit VPN vulnerabilities. The report also shows that 78 percent of surveyed organizations plan to implement Zero Trust strategies in the next 62 months. In addition, XNUMX percent of organizations acknowledge that VPNs contradict Zero Trust principles and that even deploying VPNs via the cloud does not constitute a Zero Trust architecture.
Stop the spread
Of the organizations that have experienced compromise via VPN vulnerabilities, the majority reported lateral spread of attacks within the network, resulting in failure to contain after initial infection. To minimize the radius of spread and mitigate the risk of VPN vulnerabilities, Zscaler recommends adopting a Zero Trust architecture to:
- minimize the attack surface by making applications invisible to the Internet, making them harder for attackers to detect and attack.
- Prevent compromise by inline inspection of traffic and content to detect and block malicious activity and protect resources from unauthorized access or data exfiltration.
- Eliminate lateral movement by segmenting and connecting users directly to their applications instead of the network, limiting an attacker's ability to gain unauthorized access and spread laterally.
About Zscaler Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.