Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Experts warn that virtual private networks are increasingly vulnerable to leaks and attack.
Free virtual private network (VPN) service Quickfox, which provides access to Chinese websites from outside the country, exposed the personally identifiable information (PII) of more than a million users in just the latest high-profile VPN security failure.
The incident has some security practitioners questioning whether VPNs are an outdated technology.
Researchers at WizCase discovered Quickfox misconfigured the VPN service’s Elasticsearch, Logstash and Kibana (ELK) stack security. The trio of programs helps manage searches, the report explained.
“Quickfox had set up access restrictions from Kibana but had not set up the same security measures for their Elasticsearch server,” according to the report. “This means that anyone with a browser and an internet connection could access Quickfox logs and extract sensitive information on Quickfox users.”
Infosec Insiders Newsletter
Quickfox users in China, Indonesia, Japan, Kazakhstan and the U.S. were affected, the researchers found, adding that a total of 500 million records and 100GB of data were exposed.
The leaked data fell into one of two categories, the report said — PII like emails and phone numbers — but also information about software on the devices of around 300,000 Quickfox users.
“Data from the leak exposes the names of other software installed on the users’ devices, as well as the file location, install date, and version number. It’s unclear why the VPN was collecting this data, as it is unnecessary for its process, and it is not standard practice seen with other VPN services,” the researchers said in the report.
Since the pandemic, VPN use by organizations has exploded to help remote workers access the systems necessary to perform their jobs. Archie Agarwal, CEO of ThreatModeler, told Threatpost that his most recent search identified more than a million VPNs online in the U.S. alone.
But following spectacular VPN security failures like the Colonial Pipeline breach, and the leak of thousands of Fortinet VPN account credentials, the U.S. government decided to weigh in and issue guidance on hardening VPNs, including looking for a service with strong encryption and access management. A service that actively patches known vulnerabilities is also a plus.
Adopting a zero-trust security model is one solution to reliance on VPNs, but that’s are both expensive and hard to implement, Chris Morgan, analyst with Digital Shadows, told Threatpost.
“While zero-trust models may indeed be a more secure solution, its adoption will result in a greater logistical and financial cost,” Morgan said. “Many companies will likely find continued use of a VPN a more pragmatic short-term solution.”
But Agarwal argues VPNs need to go entirely.
“These are the doorways to private sensitive internal networks and are sitting there exposed to the world for any miscreant to try to break through,” Agarwal told Threatpost. “These represent the old perimeter paradigm and have failed to protect the inner castle over and again. If credentials are leaked or stolen, or new vulnerabilities discovered, the game is over and the castle falls. New zero-trust approaches being advocated by the United States government and NIST takes this public doorway offline and throws an invisible cloak over the entire network.”
Employee user behavior is another big consideration, Heather Paunet, senior vice president at Untangle, explained to Threatpost.
“Moving forward, we must take the human element into consideration,” Paunet said. “IT professionals are challenged with getting employees to effectively use the technology. If the VPN is too difficult to use, or slows down systems, the employee is likely to turn it off. The challenge for IT professionals is to find a VPN solution that is fast and reliable so that employees turn it on once and forget about it.”
Paunet added that VPN solutions are continuing to improve both in ease of use and security.
However, Timur Kovalev told Threatpost that it’s time for IT administrators to require employees to up their cybersecurity game, regardless of how annoying it is.
“To combat employees not always using VPN connections, and provide another layer of security, administrators looked to requiring 2FA [two-factor authentication] for more systems than they had before,” he said. “This means they can also choose whether to use 2FA for every login, which is more ‘annoying’ for employees yet more secure, or to use 2FA periodically, or after a device is trusted, which is easier for employees yet not quite as secure.”
Kovalev suggested to Threatpost the stakes are too high to ignore user behavior.
“With the recent ransomware attacks and high-profile breaches, such as SolarWinds, JBS, Pulse Secure and Kaseya VSA, IT administrators should be considering using the more secure options,” Kovalev added. “This will also involve training their employees how to navigate the less easy to use tools as well as explaining to employees why these measures are necessary and what they can do to not fall victim themselves to any type of security breach.”
Troublingly, Tyler Shields with JupiterOne predicts more VPN attacks to come.
“Discovery of exploits tend to cluster over time,” Shields told Threatpost. “Moving forward, I would expect additional network technology-based exploits to be disclosed as hackers continue to target those types of devices.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
Cyberattackers stole PS5 root keys and exploited the kernel, revealing rampant insecurity in gaming devices.
Asset inventories and risk assessments are critical tools in defending against the increasing scourge of ransomware.
A bill introduced this week would regulate ransomware response by the country’s critical financial sector.
Mikeal Wolfe on

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
A new #BEC campaign targeting @Microsoft 365 is using sophisticated obfuscation tactics – like teensy type – in phi…
12 mins ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.