TunnelCrack: New Security Vulnerabilities Deprives Users of VPN Protection
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A study carried out by researchers from New York University and KU Leuven revealed security and privacy vulnerabilities (dubbed TunnelCrack ) in VPN clients. These vulnerabilities can be exploited in two attacks that can leak user traffic outside the encrypted tunnel.
The two resultant attacks, ‘LocalNet’ And ‘ServerIP,’ are a result of how VPN clients configure operating systems (OS) to route traffic through VPN tunnels. This is done by updating the system’s IP routing tables with some routing exceptions, like traffic to and from the local network and VPN server.
The research revealed that these routing exceptions can be exploited by using dubious WiFi access points or spoofed DNS responses, allowing selected traffic to bypass the encrypted tunnel. Moreover, the attacks are independent of any protocol used by the connection.
LocalNet attack, also deemed as CVE-2023-36672 requires an attacker to establish and trick a victim into connecting to the rogue WiFi access point. Generally, public hotspots that are a part of the local network and of interest to the target are utilized. Once connected, the target is assigned the said IP address and subnet.
As most VPNs allow direct access to the local network, when connected, this form of traffic transmission falls under the routing exception and bypasses the encrypting tunnels.
This form of attack can be mitigated by checking the option of disabling local traffic in VPN settings. Although, this would make all traffic pass through the VPN tunnel, it would restrict use of local networks like streaming videos to a TV, when connected to a VPN.
ServerIP attack, dubbed as CVE-2023-36673 manipulates the design flaw most commonly found in VPNs – non-encryption of traffic directed towards VPN servers. To deploy this attack, the adversary spoofs the DNS server that an interested victim connects to and redirects the victim’s network traffic to the adversary-controlled server. This allows the attacker to modify and control the unencrypted traffic.
This attack can be mitigated by setting up a secure DNS like, DNS over TLS or DNS over HTTPS, which will help improve network security. Moreover, VPN users should also check and install security updates as and when available.
The study involved 67 VPN products (free, paid, open-source, commercial, and built-in VPN clients) and different versions of Windows, Linux, iOS, macOS, and Android operating systems.
Rhysdia Ransomware Emerges as a Significant Threat to Healthcare Security
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A new ransomware group dubbed Rhysdia has gained notoriety in recent months, following a series of high-impact attacks on the healthcare sector. The group which first emerged in May 2023, has forced several government organizations and cybersecurity companies to closely analyze its activities.
Following its attack on the Chilean Army and Prospect Medical Holdings, which affected 17 hospitals and 166 clinics in the US, the group was deemed as a significant threat to the healthcare and public sector by the U.S. Department of Health and Human Services (HHS).
On August 4, HHS also released an advisory about the ransomware, while security companies like Trend Micro, SentinelOne, and CheckPoint published individual articles analyzing different facets of this malware.
Initial analysis of Rhysdia by SentinelOne showed that it was in early stages of development and missed standard malware features. Their attack techniques also consisted of phishing emails and deployment through cobalt Strike or similar platforms.
The analysis by CheckPoint reveals that the ransomware has close links with the now defunct Vice Society, based on their modus operandi and victim (education and healthcare) targeting method.
The attack technique employed by Rhysdia in this instance included remote desktop protocol, remote PowerShell sessions (WinRM), and use of PsExec for lateral movement. For avoiding detection, the malware was seen to delete logs and forensic artifacts, while SystemBC and AnyDesk was utilized to maintain persistence.
‘’The time to ransom (TTR) of the actors employing Rhysida ransomware is relatively low. It has been eight days from the first signs of lateral movement to the widespread ransomware deployment,’’ revealed CheckPoint analysis.
According to the HHS security bulletin, the ransomware targets are spread across the US, Australia, Western Europe, and South America. In the beginning, their primary targets were the education, manufacturing, government, managed service providers, and technology sector. However, now their primary focus seems to be the healthcare and public health sector.
The rapid spread and threat scope of Rhysdia makes it imperative for organizations to understand and monitor the tools and attack process of this ransomware, thus preventing such attacks in the future.
