How your VPN can be a front door access to your system

[Batu69]

Tld;dr: double check your local software firewall settings while using commercial VPN!

 

Introduction

VPNs are used by different people for different purposes. Some use it to bypass censorship, others use it to access services which is not available in their own country, and some use it to add a layer of privacy.

 

During our daily work we use VPN for two reasons: to access exploit kits and to anonymously test AV and Endpoint Security products. Most exploit kits filter the attack based on the IP address of the country the victim is from. Also it happened in the past that AV and Endpoint Security products behaved differently in a lab environment than at home or enterprise users. Thus VPN is very important in our daily work. But sometimes, it can surprise us.

 

 

The following story happened in February 2016. We used a commercial VPN as always, and meanwhile our exploit replay proxy (Fiddler) was used to serve malicious traffic to the Virtualbox guest machines. For this configuration, “allow remote computers to connect ” was turned on (non-default option).  The lab machine is behind firewall and NAT. After some exploit tests (exciting results will be published later) our analysts went home, but the proxy and the VPN was left open for the night.

 

In the morning after having a cup of tee (we are a British company ? ), we found some suspicious traffic in the Fiddler history. But all guest machine was shut down, strange…. Which means either a malware is running on the host, or someone accessed the Fiddler proxy from the Internet. After a quick investigation it turned out that the traffic was coming through the VPN network interface. I did a quick Nmap scan on the VPN IP, and it proved our suspicion. The lab machine was accessible through the VPN IP to the whole Internet. All services (Apache, FTP, Fiddler, RDP) were accessible. The Fiddler proxy port was found as an open proxy by a bot, and it was instantly used for malicious purposes – possible click fraud. At least the SMB port 445 was filtered by the firewall …

 

 

Although the Windows Firewall was up and running, and the VPN interface was in Public mode,  the primary network interface in Private (home) mode, the services were accessible because these services were manually configured to be allowed for the private profile (our mistake).

 

 

We believe most VPN companies don’t have this issue (although we have not tested others yet). Other VPN providers have less public IPs than active VPN users, which means they have to use NAT somewhere. And with NAT this can’t happen.

Lessons learned

• Always check for suspicious things

• Test your VPN provider

• Every new layer of defense introduces a new vulnerability

Questions and answers

Where is the technical mambo jambo?

We planned to do a detailed technical analysis about how this could have happened, but it turned out without access to the VPN server configuration, we can only guess. Is this a site-to-site VPN configuration where one site is the Internet and the other is the VPN client? Is this configured via routing or iptables? We don’t know. But actually, it does not really matter to most people.

 

Have we contacted the VPN provider?

Yes, at the same time as this post was published. We will update this post with the vendor response.

 

Are users at risk?

Yes, as most people are not aware that using VPN can “publish” their system on the Internet. Many people turn off their firewall at home, and also a lot of systems have misconfigured firewalls (like ours).

 

Is this behaviour documented by the VPN provider?

We don’t know, but we could not find it. But we are sure average people are not aware of this risk.

PS: we left an easter egg in the video. If you find it, please don’t post it. Thank you!

 

The official reply from HMA, see below:

 

 

Article source

[jamesDDI]

To use HMA means to have big mental problem..

[Israeli_Eagle]

Simply never use any (shitty & useless) app for VPN!!!

For example the official OpenVPN driver is fully enough and only needs some minimal brain.

[Batu69]

14 minutes ago, jamesDDI said:

To use HMA means to have big mental problem..

 

Not just HMA VPN but all VPN, need to check local software firewall settings while using VPN.

[jamesDDI]

21 minutes ago, Batu69 said:

 

Not just HMA VPN but all VPN, need to check local software firewall settings while using VPN.

 Yeah

[steven36]

 

3 hours ago, jamesDDI said:

To use HMA means to have big mental problem..

 

3 hours ago, Batu69 said:

 

Not just HMA VPN but all VPN, need to check local software firewall settings while using VPN.

Both of you are right  HMA  is not a good VPN provider at all they log and truned people in before..   i would never be using it.

https://invisibler.com/lulzsec-and-hidemyass/

 

Also  you should always check you're  Firewall

[Mantis]

8 hours ago, Batu69 said:

 

Not just HMA VPN but all VPN, need to check local software firewall settings while using VPN.

 

7 hours ago, jamesDDI said:

 Yeah

 

 

So you guys and HMA support say that while using a VPN I might just as well disable my firewall because while using the VPN traffic is routed around my firewall rendering it useless? :wtf:

[Batu69]

11 hours ago, Mantis said:

 

 

 

So you guys and HMA support say that while using a VPN I might just as well disable my firewall because while using the VPN traffic is routed around my firewall rendering it useless? :wtf:

 

Actually you not read article or you misunderstand what contents in article.

[benjd91]

That's why I use my own VPN hosts on cloud hosting providers with temporary IPs and instances, when the tests are over, the instances are destroyed and the IPs are released back into the IP Pool. Firewall rules are also inplace to restrict access from other IPs.

 

At least set up the firewall to also filter the traffic in the VPN and make sure only ports that you need will be allowed.

IP Filtering to known hosts will also help reduce attacks.

 

Prevention is better than cure.

[Holmes]

I have to agree lulzsec member got into trouble using hide my ass and that technical support representative is full of poop.  I recommend you never use Hide my ass and just because Hide my ass vpn is insecure dont make all vpns insecure.

[knowledge-Spammer]

7 hours ago, Holmes said:

I have to agree lulzsec member got into trouble using hide my ass and that technical support representative is full of poop.  I recommend you never use Hide my ass and just because Hide my ass vpn is insecure dont make all vpns insecure.

lulzsec  got in trouble  for hacking fbi and things like that

but i understand what u mean

Spoiler

 

Spoiler

 

 

[Mantis]

10 hours ago, Batu69 said:

 

Actually you not read article or you misunderstand what contents in article.

I read the article but am not too techie. Maybe you could explain things a little for me?

 

[Batu69]

11 hours ago, Mantis said:

I read the article but am not too techie. Maybe you could explain things a little for me?

 

 

No need too technique to understand that article.
Article just advice/suggest to check your firewall setting when you using vpn if you care about security/privacy.

HMA VPN just example since writer has used that VPN and HMA VPN respond to him/her about that article.

[Mantis]

12 hours ago, Batu69 said:

 

No need too technique to understand that article.
Article just advice/suggest to check your firewall setting when you using vpn if you care about security/privacy.

HMA VPN just example since writer has used that VPN and HMA VPN respond to him/her about that article.

OK let me make it clear. I've read the article but it is vague. What firewall settings are they (and you since OP) talking about.

When you post things that scare people you should explain fully what one can do to be protected. I would like to know!

Or did you just think it was a cool article and have no idea what settings they are talking about either? Thank you.

[Batu69]

4 hours ago, Mantis said:

OK let me make it clear. I've read the article but it is vague. What firewall settings are they (and you since OP) talking about.

When you post things that scare people you should explain fully what one can do to be protected. I would like to know!

Or did you just think it was a cool article and have no idea what settings they are talking about either? Thank you.

 

First you quote me, wrote "you guys and HMA support say that while using a VPN I might just as well disable my firewal".

And I wrote you not read that and you wrote you already read that but need little explain.( I explained basic content what in that article).

And now you need me explain why I posted things that scare people.

 

Bro! Actually what is your problem? This is not tutorial.

This article I just copy/paste here, this is not about cool article or not, this about good to know something if we don't know. If you need more explain

you should ask original writer to ask why this happened, why this need setting!

 

 

[Mantis]

 

12 hours ago, Batu69 said:

this about good to know something if we don't know

That is what/why I am asking. I will see if I can get any answers from the original source. Sorry to bother you Bro, I didn't know you simply cut/paste this. I thought you were original author from the other site and was cross posting here too. Maybe for these type of posts the OP should put the words copy/paste as a tag. Just my opinion. Thank you.