VPN quagmire: latest industry gossip you need to know

ExpressVPN’s parent company went private and laid off people, crooks exploited CiscoVPN, while AtlasVPN exposed its Linux clients. Plus, more experts are urging firms to ditch VPNs altogether.

The internet lacks inherent security and privacy, period. If you think there's a magic solution, a single product that guarantees your online safety, then marketing has certainly clouded your judgment. In truth, safeguarding your online presence requires looking past flashy applications, staying updated on the reliability of the tools you depend on, and being prepared to abandon them when necessary.

To that effect, Cybernews takes a look at the most recent, and somewhat concerning, developments in virtual private networks (VPNs), complete with expert commentary.

AtlasVPN Linux client leaks users’ IP addresses

Recently, a Reddit user with a disposable account shared a zero-day (previously unknown) flaw for the AtlasVPN Linux client. While affecting just a small subset of AtlasVPN users, the vulnerability checked out.

Malicious actors could potentially have leveraged this vulnerability to expose users’ internet protocol (IP) addresses, which is fundamentally the primary purpose for which VPNs are employed. Fortunately, a patch to address this issue is in development and will be released soon.

“Once resolved, our users will receive a prompt to update their Linux app to the latest version,” the company told Cybernews.

Ransomware exploits Cisco’s VPNs

Recently, Akira ransomware abused CiscoVPN to breach networks. Here’s a literal quote from the company: “Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.”

Unfortunately, this is not the first time we’ve heard Cisco’s name in the context of a breach or security issue. Last year, it admitted to being hacked and being stripped of 2.75GB of data. Around the same time, it patched critical remote code execution (RCE) bugs in VPN routers.

The criminals are after VPNs, knowing that companies rely on them to protect critical business data. In fact, a couple of experts I spoke to told me that traditional VPNs are increasingly favored targets for bad actors. While there’s nothing wrong with the technology itself, the provider you choose is extremely important, as well as the right product implementation.

“VPNs are extremely common and a critical piece of technology in today’s connected world. Like any piece of technology, they must be configured and implemented securely. Using a VPN without some sort of MFA is seldom, if ever, advisable,” Jonathan Swanson, a Director at cybersecurity consultancy Krebs Stamos Group, told Cybernews.

A VPN service is not enough, though. In its blog post, Cisco highlighted the importance of enabling multi-factor authentication (MFA) in VPN implementations, which would “significantly reduce” unauthorized access, including ransomware infection.

“If a threat actor successfully gains unauthorized access to a user’s VPN credentials, such as through brute-force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN,” it said.

Kape Technologies layoffs

Something else that caught our attention recently were the layoffs at Kape Technologies, the owner of a top provider, ExpressVPN. In August, following the change in ownership that made the company go private, it shed 12% of its global workforce: in human terms, that translates to 180 people out of a job. Engineers and quality assurance specialists were among the employees let go.

Tech company layoffs hardly surprise anyone these days — 46 cybersecurity companies have laid off 4,738 employees since the start of 2023.

However, Kape is under increased scrutiny since ExpressVPN — a product they acquired in the end of 2021 — is one of the most popular VPNs, safeguarding countless firms and individuals. The company also owns CyberGhostVPN and ZenMate VPN.

ExpressVPN was under the spotlight around the same time as when Kape Technologies bought it: Daniel Gericke, ExpressVPN chief information officer, was found to have broken US hacking laws by working as a cyber spy for the United Arab Emirates and fined $335,000. This year he stood down from his position, after serving in it since 2019.

“As many of you may know, Kape Technologies (which includes ExpressVPN, CyberGhost, and PIA VPN brands) was taken private on June 1st and this week decided to retrench a portion of their global workforce. I decided to exit along with my many amazing colleagues that were terminated and am officially announcing my departure as CTO of ExpressVPN and the Kape Privacy Division,” Gericke posted on LinkedIn a month ago.

Naturally, competitors try to take advantage of any negative spotlight on a certain VPN product. But it’s not only them — the anti-VPN chorus seems to also be quite loud these days.

VPN critics

Not that long ago, newsrooms around the world received a pitch from a California cloud security company, Zscaler. What did we find in this submitted VPN risk report, written by a company that promotes zero trust? That VPNs can’t be trusted.

Naturally, I asked for clarification as to whether companies should ditch VPNs in general. Here’s the response I got from Deepen Desai, Global CISO and head of security research at Zscaler: “In order to safeguard against evolving ransomware attacks, it is critical for organizations to eliminate the use of VPNs, prioritize user-to-app segmentation using zero trust architecture, and implement an in-line contextual data loss prevention engine with full TLS inspection. Companies that rely on either hardware or virtual VPN offerings are getting a false sense of security.”

I reached out to other experts to gain their insights. Some assert that VPNs and the zero-trust approach fulfill distinct roles, emphasizing that one should not be chosen over the other blindly; instead, both can be employed to align with a company’s specific requirements. On the contrary, others, echoing Zscaler's viewpoint, advocate a straightforward transition from VPNs to the zero-trust model. Ultimately, the answer differs depending on whom you ask.

Additionally, it's worth noting that migrating from VPNs to zero-trust may not be a straightforward process, even if it appears to be a more suitable solution for a particular company.

Damir Brescic, chief information security officer at cybersecurity company Inversion6, listed the possible challenges when transitioning from traditional VPNs:

  • It will require a significant shift in mindset and culture — the concept of a trusted network perimeter will need to be abandoned
  • This change may require substantial training and education for employees to understand and adapt to the new security protocols
  • The implementation process itself can be complex and time-consuming
  • Companies will need to assess their network infrastructure, identify potential vulnerabilities, and deploy appropriate security controls and monitoring
  • This transition may result in changes to policies and procedures, as well as potential investments in new technologies and solutions

Summa summarum

Criminals lurk around every corner. Be assured — they will come after you and your organization, no matter how small and insignificant you might feel. The bad news around products that are supposed to guard your assets doesn’t help your sleep, either.

As some cybersecurity experts sound the alarm on the limitations of traditional VPNs and advocate for zero-trust frameworks, the conclusion is clear (at least for me, anyway): there's no one-size-fits-all solution for online security.

It's essential for individuals and organizations to stay informed — Cybernews to the rescue — adapt to evolving threats, and prioritize cybersecurity practices that align with their individual needs and circumstances.