Hackers are Scanning for Vulnerable VPNs warns Government Agencies

The continued abuse of the COVID-19 pandemic has forced the hand of law enforcement and government agencies to dedicate time and resources to combatting cybercrime incidents rather than focussing on assisting efforts to combat the actual pandemic. In a joint statement made by both the UK’s National Cyber Security Centre (NCSC) and US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) the public has been warned of hackers scanning for vulnerable VPNs to target certain employees who are now forced to work remotely.

The InfoSec community has already seen several campaigns looking to take advantage of others during the pandemic. Most have been in the form of spam emails spoofed to look like they are from the World Health Organisation (WHO) or other similar healthcare agencies. These are often used as lures to harvest credentials or to spread malware variants. Researchers have also detected activity relating to state-sponsored groups looking to take advantage of the situation.

Interestingly, the situation has not caused an increase in attacks per se according to the agencies mentioned above but has resulted in more and more hackers looking to somehow leverage the pandemic to their benefit.

hackers are scanning vulnerable vpns

Paul Chichester Director of Operations at the NCSC stated in the advisory,

“Malicious cyber actors are adjusting their tactics to exploit the COVID-19 pandemic, and the NCSC is working round the clock with its partners to respond…Our advice to the public and organizations is to remain vigilant and follow our guidance, and to only use trusted sources of information on the virus such as UK Government, Public Health England or NHS websites.”

Likewise, his US counterpart, Bryan Ware, CISA Assistant Director for Cybersecurity, shared a similar viewpoint, noting,

“As the COVID-19 outbreak continues to evolve, bad actors are using these difficult times to exploit and take advantage of the public and business. Our partnerships with the NCSC and industry have played a critical role in our ability to track these threats and respond…We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding COVID-19. We are all in this together and collectively we can help defend against these threats.”

While the alert covers a lot of different styles of cyber-attack from scammers to ransomware operators it is what the agencies have to say regarding those forced to work remotely. Both agencies have noted hackers scanning for known vulnerabilities that affect tools and software that help facilitate remote working. Law enforcement officials take this activity to mean that hackers are looking to take advantage of the increased amount of workers forced to work from home. In order to help other law enforcement agencies and security researchers, both agencies have also published another advisory which lists some of the known indicators of compromise (IoC) that agency officials have encountered. The full advisory provides examples of using COVID-19 as a lure, either by using emails or SMS messaging services. Of particular interest is the vulnerabilities been scanned for which target remote workers. One such vulnerability is a publically known Citrix vulnerability.


The Citrix vulnerability, CVE-2019-19781, was made publically known in December 2019. If correctly exploited the vulnerability does allow the attacker to exploit arbitrary code with the vulnerability affecting all Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). Patches have been released steadily since January 19, 2020, with all vulnerable builds receiving a downloadable patch by January 24, 2020. This has not prevented hackers from scanning for devices that have not been patched. Users of any affected device are strongly recommended to download and install the patch if they have not done so already. Other well-known and used VPN products have also been shown to share a similar vulnerability. Those products being VPN products from Pulse Secure, Fortinet, and Palo Alto. An advisory has been published that deal with the vulnerabilities found in each vendor’s products as well as methods to mitigate exploitation.

VPNs are not the only current targets hackers are looking to exploit. As meetings in many circumstances can’t be done in board rooms for the foreseeable future, many countries have come to rely on products like Zoom and Microsoft Teams to keep communication channels open. Hackers have been seen sending out malicious phishing emails that include malicious files with names such as “zoom-uszoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe”, note the # represents numbers which have been reported online but not reproduced in the advisory. The malicious files when executed are able to hijack teleconference and online classrooms that have been set up without security controls, namely passwords that grant access to the meeting. Further, it has also been seen that unpatched versions of the software have also been hijacked.

Another issue that has been brought to the public’s attention regarding how hackers are targeting remote workers relates to an increase in the use of Microsoft’s Remote Desktop Protocol (RDP). The surge in use has also brought about a surge in the use of unsecured RDP connections. Abusing RDP connections to grant increased administrative privileges has been a favored tactic of hackers for a while now. Once admin privileges are granted the attacker can often install malware at will, be it banking trojans or ransomware as only a few examples. A recent analysis revealed that unsecured use of the protocol increased 127%, with researcher’s stating,

“The unprecedented surge in remote work due to the COVID-19 pandemic has led to an increase in RDP usage. As a side effect of the need to provide remote access quickly and at scale, many RDPs are being misconfigured and left exposed to the internet…At the time of writing this article, Reposify’s external attack surface management platform has detected more than 4.7 million RDPs that are exposed to the internet and are at risk of potential attacks. On some days there was 127% increase in exposed RDPs.”

Protecting Yourself and Your Enterprise

Given the recent uptick in remote workers, the NCSC published an article explaining certain measures to help those used to working in an office to working remotely. Some of the general recommendations include:

  • Create written guides and how-to documents for new software that staff will be using, or existing applications that will be used in a different way, or even more basic elements like 'How to log into and use an online collaboration tool'.
  • Make sure devices encrypt data at rest, to protect data on the device if it is lost or stolen. While most modern devices have encryption built in, it may need to be switched on and configured.
  • Use mobile device management (MDM) tools to set up devices with a standard configuration, and also to remotely lock devices, erase data or retrieve a backup.
  • VPNs: Make sure that VPNs are patched, remember that additional licenses, capacity or bandwidth may be required if your organisation normally has a limited number of remote users.
  • Make sure that staff know what to do if their device is lost or stolen. That includes who to report it to: staff who fear getting into trouble are less likely to report lost devices quickly, so make sure it can be done in a blame-free way.

During these uncertain times, it is clear that hackers will exploit global events including pandemics to further their goals be they financial or geopolitical. An important consideration is the base of recent research shared by Microsoft there hasn’t been a massive spike in malware incidents. Rather, there has been a change is tactics to leverage COVID-19 for their benefit. Much of the leverage generated by abusing the pandemic is a result of playing off our fears. We are constantly bombarded with bad news, loss of life, and further spread on COVID-19 during this period in history. It is important to remember that hackers and other cybercriminals have not changed the game. They are still using the same tools and tactics as before. They are just doing so in a climate of heightened fear. All the same measures we have been told to do numerous times before the outbreak of the disease still are effective at preventing malware infections. We have adopted sanitary measures to stop the spread of COVID-19, we can adopt similar measures but rather than fighting a disease they prevent the spread of malware.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal