Zero trust framework is still vulnerable with existing VPN, security researchers disclose

By Dain Oh, The Readable
Sep. 4, 2023 7:45PM GMT+9

As the shift toward a zero trust security model gains momentum in the United States and beyond, South Korean researchers have found that even existing network safeguards, like virtual private networks (VPNs), still pose a security risk to this emerging framework.

In a series of experiments using configurations of current VPN technology, the researchers successfully breached a zero trust security environment, gaining administrative access that enabled them to remotely infiltrate systems.

Kim Eunyoung, a Principal Researcher at the National Security Research Institute’s (NSR) Cyber Security Research Division, unveiled her latest findings at the World Conference on Information Security Applications (WISA). The conference was held from August 23 to 25 on Jeju Island, South Korea. Collaborating with her on this research was Sohn Kiwook, a Computer Science and Engineering professor at Seoul National University of Science and Technology, who previously served as a director at NSR.

Kim Eunyoung, a Principal Researcher at the National Security Research Institute’s (NSR) Cyber Security Research Division, is sharing her research findings at the World Conference on Information Security Applications (WISA) on August 23. Photo by Dain Oh, The Readable

In a research paper published through WISA, titled “Research on Security Threats Using VPN in Zero Trust Environments,” the two researchers carried out a series of experiments and firmware analyses. Their goal was to pinpoint security vulnerabilities in Zero Trust Network Access (ZTNA) systems, with a particular focus on current network equipment.

“Despite the adoption of zero trust in many network environments, existing firewall or VPN devices are still in use,” said Kim while introducing the research. “We attempted to examine potential security threats that zero trust environments may encounter due to vulnerabilities in these existing network devices and propose countermeasures to mitigate such threats,” she elaborated.

Security threat scenario in zero trust environment using VPN. Source: Research on Security Threats Using VPN in Zero Trust Environments

The U.S. National Institute of Standards and Technology (NIST) defines zero trust as “the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Interest in the security framework has surged within global tech circles ever since the Biden administration signaled its intention to adopt zero trust policies through an executive order aimed at bolstering the nation’s cybersecurity in May 2021.

According to the researchers, the zero trust maturity model consists of five pillars: identity, device, network and environment, application workload, and data. “Although the five pillars provide a solid foundation for organizations to improve their security posture, there is no one-size-fits-all approach,” explained Kim. The researcher went on, adding that “most of the proposed models for zero trust have primarily focused on access control for end devices and access data by strengthening user authentication.”

Starting with the premise that security threats could still arise even under a zero trust framework, Kim and Sohn conducted simulations based on vulnerability-focused attack scenarios. They compared Google’s Beyond Corp with Netflix’s Location Independent Security Access (LISA). To validate their findings, the researchers zeroed in on models similar to Netflix’s LISA, which they suspected could inherit either undisclosed or publicly disclosed vulnerabilities from existing network devices. This focus contrasted with Google’s Beyond Corp approach, which eliminates VPNs and firewalls from the equation.

Additionally, the researchers put one company’s VPN equipment under the microscope and discovered a flaw that “allows an attacker to obtain a reverse shell by executing a command that connects to it” even within a zero trust framework. A reverse shell is a hacking technique that exploits a system’s vulnerabilities, ultimately granting threat-actors unauthorized access to the targeted device.

“Although ordinary users may not have a significant impact on the system as a whole, even if they are subject to hacking attacks from external sources in a zero trust environment, vulnerability attacks on users with administrator privileges can cause many problems throughout the system,” warned Kim. “When introducing the new zero trust framework, real-time monitoring of abnormal user behavior and security measures should be reviewed for all network equipment rather than simply strengthening user authentication with a more robust policy.”

The cover image of this article was designed by Areum Hwang.

Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.