Door op ‘Alle cookies accepteren’ te klikken, gaat u akkoord met het opslaan van cookies op uw apparaat om de sitenavigatie te verbeteren, het sitegebruik te analyseren en te helpen bij onze marketinginspanningen. Bekijk ons privacyverklaring voor meer informatie.
VoorkeurenNeeAccepteer
VPN from a hackers perspective
April 15, 2025
READING TIME
5
MINUTen

VPN from a hackers perspective

VPN connections have long been the standard method for enabling remote employees to access internal corporate networks. However, from a security standpoint, they represent a structural risk within hybrid network environments. Attackers exploit VPNs not just for the network access they provide, but because of the implicit trust relationship VPNs introduce. This trust results in weakened access controls and blind spots in detection and response mechanisms.

Trust Relationship Between Endpoint and Internal Network Layer

Once a user is connected via VPN, the external device often receives direct IP-level (Layer 3) access to the internal network. The system treats it as if it’s physically present within the organization. In many cases, this means immediate access to multiple systems, databases, or OT environments, without validation of the device’s security posture, geolocation, or actual access needs. Context is often ignored: a user working from an unmanaged personal device in an unknown location may receive the same access rights as someone in the office using a company-issued laptop.

Credential and Token Harvesting

VPN systems frequently rely on simple credential-based logins typically username and password, sometimes supplemented with a second factor (e.g., via an app or SMS). Attackers employ phishing techniques that target not only credentials but also session tokens, allowing them to bypass multi-factor authentication. Tools like Evilginx2 specialize in intercepting tokens (e.g., jwts), enabling attackers to hijack valid sessions and re-authenticate to VPNs without triggering MFA.

Attacks on Vulnerable VPN Appliances

VPN servers themselves are prime targets. Well-known vulnerabilities in Fortinet, Citrix, and Pulse Secure have demonstrated how attackers exploit flaws in these systems. Because VPN appliances are typically exposed to the internet, they are high-value targets. Successful exploitation can lead to internal network access, credential theft, or exfiltration of sensitive files stored in memory on the appliance.

VPN as a Blind Spot in Detection & Response

Many organizations treat VPN traffic as “trusted,” which means it often bypasses strict inspection. Firewalls permit it, SIEMs raise no alarms, and segmentation becomes ineffective since the device is now technically “inside” the network. If an attacker possesses valid credentials, they can move laterally through the environment undetected. Without correlation between VPN logs, endpoint protection, and behavioral analytics (e.g., UEBA), anomalies often go unnoticed.

No Per-Application Access Control

Traditional VPNs grant access based on IP ranges or network subnets. If a user can reach a subnet, they can likely access every system within it, even those they don’t need. In contrast, modern architectures use per-application access control, as seen in Zero Trust Network Access (ZTNA) models. This means access is granted based on identity, device health, and context, not just network location. VPNs lack this granularity. Once inside, the rest of the network is often exposed.

Lateral Movement and Internal Reconnaissance

Once attackers establish access via VPN, they begin mapping the network using standard tools to discover systems, network shares, and login points. Because the VPN device has internal access, it behaves like a machine connected inside the LAN. Poor segmentation allows attackers to easily reach other systems, services, or sensitive environments, facilitating further compromise.

Data Exfiltration via Encrypted Trusted Channels

Since VPN traffic is both encrypted and classified as internal, it frequently bypasses Data Loss Prevention (DLP) and Network Detection & Response (NDR) systems. This allows attackers to exfiltrate data unnoticed, transferring sensitive files via RDP, SMB, or encrypted channels to external storage or command and control infrastructure.

So

VPNs no longer align with modern security architectures centered around Zero Trust. They grant excessive access, lack contextual validation, and obscure user activity. Organizations still dependent on traditional VPNs face elevated risk. A shift is needed toward models where access is granted based on identity, device posture, and behavioral signals.

Think in terms of solutions that enforce:

  • Per-application access policies
  • Strict controls on which devices are allowed to connect
  • Real-time detection and blocking of anomalous behavior

Only then can you achieve a flexible, manageable, and secure access model that meets the complexity of modern IT and OT environments.

www.deepbluesecurity.nl || info@deepbluesecurity.nl || +31 (0)70-800 2025

NEDERLANDSE VERSIE
Back to Resources

Ready to start?

When it comes to cyber security, we are your best choice

Contact