The landscape of VPN technology is rapidly changing, signaling potential obsolescence as new threats specifically target these technologies. In recent research by Veriti, we’ve observed a significant increase in attacks on VPN infrastructures, with a focus on exploiting vulnerabilities that have been prevalent but not always prioritized for remediation. 

In the past few weeks alone, numerous instances of VPN exploits have been documented, with attackers using sophisticated methods to deploy ransomware through vulnerabilities in outdated VPN technology. 

In a documented case, Veriti observed an attack originating from Russia, where automated exploits targeted multiple security products, exploiting known vulnerabilities:  

• Fortinet Multiple Products Authentication Bypass – CVE-2022-40684 
• Citrix NetScaler Information Disclosure – CVE-2023-4966 
• Fortinet FortiOS SSL VPN Directory Traversal – CVE-2018-13379 
• Pulse Connect Secure File Disclosure – CVE-2019-11510 
• F5 BIG-IP Configuration Utility Authentication Bypass – CVE-2023-46747 
• Ivanti (MobileIron) sentry auth bypass attempt - CVE-2023-38035 
• Connectwise screen connect auth bypass check - CVE-2024-1709 
• Cisco iOS xe privilege escalation attempt - CVE-2023-20198 
• Palo.Alto.Networks.GlobalProtect.Command.Injection - CVE-2024–3400

Veriti’s research into these attacks has revealed that many organizations are unprepared for the sophistication and frequency of these threats. The data shows a global spread of attacks, with significant concentrations in the United States and Germany, affecting industries ranging from government to finance. This widespread vulnerability suggests that the traditional VPN may no longer provide adequate security in the current cyber threat landscape.

The decline in VPN security effectiveness suggests a pivotal moment for technology leaders. The transition from traditional VPN solutions to comprehensive cloud-based security solutions represents an opportunity to enhance both security and operational efficiency.

As part of these attacks, Veriti research analyzed the global spread of VPN clients and products, identifying a trend towards abandoning conventional VPNs. Over the past year, there has been a notable rise in attacks exploiting vulnerabilities in VPN applications as entry points into organizations. In 2024, major VPN providers like Palo Alto Networks, Fortinet, Cisco, Juniper, SonicWall, and Ivanti were identified as potential back doors for attackers. Notably, Fortinet’s VPN vulnerabilities were reportedly exploited by the Volt Typhoon group, a detail supported by CISA research. Similarly, Ivanti’s vulnerabilities were linked to significant security breaches, including those orchestrated by the attack group UTA0178. These incidents highlight the urgent need for enhanced security measures and reflect a shifting strategy in cyber-attacks, utilizing VPN vulnerabilities to achieve malicious objectives.

Honorable mentions of cases where the attackers used VPN vulnerabilities to achieve their goal

Trends in VPN Usage Decline: A Statistical Overview

In recent months, Veriti Research has observed a significant decline in the usage of VPN products, as illustrated by the accompanying graph. The graph plots the number of VPN devices exposed to the internet (Y-axis) against time, measured month by month (X-axis).

The Veriti engineering team has noted upcoming updates from major vendors planning to phase out their traditional VPN solutions in future software releases. This strategic shift indicates a move towards more modern and secure alternatives.

Name	Sep-23	Oct-23	Nov-23	Dec-23	Jan-24	Feb-24	Mar-24	Apr-24
United States	109,381	108,201	112,928	111,826	82,348	65,729	61,881	53,420
Japan	28,215	27,453	28,016	27,735	25,090	23,502	22,249	19,252
India	25,411	24,803	25,424	25,819	22,257	19,611	18,449	15,994
Taiwan	22,297	21,968	22,293	22,220	19,963	17,956	17,471	14,929
Brazil	22,834	22,451	23,505	23,791	18,920	15,763	14,906	12,817
Italy	21,622	21,222	21,643	21,604	19,159	17,438	16,998	15,083
France	21,499	21,173	21,603	21,495	18,112	16,012	15,300	13,601
Canada	18,361	18,376	18,846	18,906	14,681	12,351	11,727	10,129
Turkey	15,420	14,909	14,659	14,448	12,647	11,606	11,110	9,546
Spain	14,719	14,498	15,137	15,119	12,800	11,717	10,671	9,133

The latest Ivanti vulnerabilities

Name	Dec-23	Jan-24	Feb-24	Mar-24	Apr-24
United States	72	82	76	56	50
Germany	69	84	74	57	43
Italy	28	28	27	25	22
China	21	26	21	14	14
Hong Kong	19	18	14	17	13

Name	Apr-23	May-23	Jun-23	Jul-23	Aug-23	Sep-23	Oct-23	Nov-23	Dec-23	Jan-24	Feb-24	Mar-24	Apr-24
United States	2,183	3,310	3,966	4,967	5,983	6,784	7,564	8,897	10,534	11,299	12,315	14,233	21,058
Singapore	301	442	498	693	815	957	1,176	1,225	1,246	1,341	1,415	1,577	2,181
Ireland	325	468	575	697	794	1,000	1,181	1,235	1,202	1,256	1,350	1,380	1,671
Germany	201	362	425	546	631	711	738	908	1,187	1,268	1,371	1,757	2,672
United Kingdom	190	289	403	519	650	728	828	908	1,050	1,107	1,263	1,526	2,208
Australia	185	338	407	521	619	685	760	800	933	1,006	1,106	1,361	2,164
India	0	0	149	269	465	527	567	733	1,038	1,114	1,214	1,481	2,457
France	105	184	281	360	407	456	485	578	731	778	819	971	1,471

Conclusion

The rise in VPN-targeted attacks is not just a security concern but also a significant business risk. VPNs have been integral to secure remote access, yet the surge in exploitation attempts reveals an urgent need for organizations to reassess their dependence on this technology. The vulnerabilities being exploited, such as those found in Fortinet and Palo Alto Networks products, underline the necessity for a shift towards more integrated and comprehensive security frameworks.