https://feed.craftedsignal.io/tags/vpn/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 May 2026 20:57:28 +0000https://feed.craftedsignal.io/briefs/2024-01-aws-vpn-discovery/Fri, 01 May 2026 20:57:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-aws-vpn-discovery/This rule detects the initial use of AWS discovery APIs from VPN-associated ASNs by a previously unseen identity, indicating potential reconnaissance activity.This detection identifies the first-time occurrence of an IAM principal invoking discovery APIs from a source IP address associated with a known VPN autonomous system number (ASN). The rule focuses on high-signal discovery actions, such as credential checks, account enumeration, bucket inventory, compute inventory, and logging introspection within AWS CloudTrail logs. The goal is to detect potential reconnaissance activities originating from anonymizing networks, which may indicate malicious intent. The rule specifically omits broad List* and Describe* patterns to reduce false positives, focusing instead on a curated list of ASNs commonly associated with VPN providers and hosting services. It’s important to validate ASN data using local intelligence and tailor the event.action list based on your environment’s baseline. Hosting ASNs are dual-use and require careful monitoring.

Attack Chain

1. An attacker gains unauthorized access to AWS credentials, possibly through compromised credentials or misconfigured IAM roles.
2. The attacker initiates a VPN connection to mask their origin and evade geographic restrictions or monitoring. The VPN endpoint’s ASN belongs to a known VPN provider.
3. Using the compromised credentials and VPN connection, the attacker calls the AWS API to execute GetCallerIdentity to validate access.
4. The attacker enumerates IAM users and roles using ListUsers and ListRoles to map out the AWS environment’s identity landscape.
5. The attacker inventories S3 buckets using ListBuckets to identify potential targets for data exfiltration or manipulation.
6. The attacker gathers information about EC2 instances, VPCs, and security groups using DescribeInstances, DescribeVpcs, and DescribeSecurityGroups to understand the network infrastructure.
7. The attacker lists available Lambda functions using ListFunctions to discover potential code execution opportunities.
8. The attacker collects logging configurations by calling DescribeTrails to identify logging gaps.

Impact

A successful attack leveraging these discovery techniques can lead to unauthorized access to sensitive data, privilege escalation, and lateral movement within the AWS environment. By mapping out the cloud infrastructure, attackers can identify vulnerabilities and misconfigurations to exploit. Compromised AWS environments can result in data breaches, service disruptions, and financial losses.

Recommendation

• Deploy the Sigma rule AWS Discovery API Calls from VPN ASN by New Identity to detect anomalous discovery activity originating from VPN ASNs.
• Review the curated list of VPN-oriented ASNs within the rule query and update it with local intelligence from sources like RIPE, BGPView, or PeeringDB.
• Enable AWS CloudTrail logs to capture the necessary event data for the Sigma rule to function effectively.
• Tune the Sigma rule’s event.action filter to include additional discovery-related API calls relevant to your environment, based on baseline analysis.
• Investigate alerts generated by the Sigma rule by examining aws.cloudtrail.user_identity.arn, event.action, event.provider, source.ip, and source.as.organization.name.
• Implement automated response actions, such as revoking sessions or rotating keys, when unexpected discovery activity is detected from VPN ASNs.

]]>mediumadvisorycloudawsdiscoveryvpnhttps://feed.craftedsignal.io/briefs/2026-04-openvpn-auth-bypass/Wed, 22 Apr 2026 14:29:22 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openvpn-auth-bypass/A critical authentication bypass vulnerability exists in openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode; clients that do not support WebAuth/SSO are incorrectly granted VPN access without completing OIDC authentication.OpenVPN-auth-oauth2, a plugin for OpenVPN, is susceptible to an authentication bypass vulnerability in versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This flaw allows unauthenticated VPN access for clients that do not support WebAuth/SSO. Specifically, standard OpenVPN clients like the Linux CLI openvpn, which do not advertise WebAuth/SSO support (IV_SSO=webauth), can bypass OIDC authentication and gain full network access. The default management-interface mode is not affected. Successful exploitation grants unauthorized access to the internal network behind the VPN. This vulnerability is addressed in version 1.27.3.

Attack Chain

1. Attacker identifies an OpenVPN server running openvpn-auth-oauth2 in experimental plugin mode (versions 1.26.3 - 1.27.2).
2. Attacker uses a standard OpenVPN client (e.g., Linux openvpn CLI) that does not support WebAuth/SSO.
3. The client initiates a connection to the OpenVPN server, bypassing the expected WebAuth/SSO flow.
4. The openvpn-auth-oauth2 plugin attempts to deny the client by writing “0” to the auth_control_file.
5. The plugin incorrectly returns OPENVPN_PLUGIN_FUNC_SUCCESS to the OpenVPN server.
6. OpenVPN interprets the FUNC_SUCCESS return code as successful authentication, ignoring the “0” in the auth_control_file.
7. The OpenVPN server grants the unauthenticated client full access to the internal network behind the VPN.
8. Attacker gains unauthorized access to internal resources and performs malicious activities such as data exfiltration or lateral movement.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers full access to the internal network behind the OpenVPN server. This could lead to data breaches, lateral movement within the network, and potential compromise of sensitive systems. The vulnerability affects any deployment using the experimental plugin mode with vulnerable versions. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations.

Recommendation

• Immediately upgrade to openvpn-auth-oauth2 version 1.27.3 to apply the fix described in commit 36f69a6.
• If immediate upgrade is not feasible, switch to the standalone management client mode (the default, non-plugin deployment) as a workaround.
• Monitor OpenVPN server logs for connection attempts from clients that do not support WebAuth/SSO (identified by missing IV_SSO=webauth in the logs) and correlate with network access activity.

]]>criticaladvisoryopenvpnauthentication-bypassvpnhttps://feed.craftedsignal.io/briefs/2026-04-synology-vpn-vuln/Fri, 10 Apr 2026 10:16:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-synology-vpn-vuln/Synology SSL VPN Client before 1.4.5-0684 stores passwords in plaintext, allowing remote attackers to potentially access or manipulate user PIN codes, leading to unauthorized VPN configuration and traffic interception.CVE-2021-47961 describes a vulnerability in Synology SSL VPN Client versions prior to 1.4.5-0684. The client software stores user passwords in plaintext, creating a security risk. An attacker with access to the system or the client’s configuration files could potentially retrieve these passwords and use them to manipulate the VPN configuration. Successful exploitation of this vulnerability can lead to unauthorized access to the VPN, as well as the potential interception and monitoring of VPN traffic. This is particularly concerning for organizations relying on secure VPN connections for remote access and data transmission. This vulnerability was disclosed on April 10, 2026.

Attack Chain

1. Attacker gains unauthorized access to the targeted system, either through physical access or remote access methods.
2. Attacker locates the Synology SSL VPN Client configuration file(s) on the compromised system.
3. Attacker opens the configuration file and retrieves the plaintext password stored within.
4. Attacker uses the retrieved password to access or modify the user’s PIN code within the VPN client.
5. Attacker reconfigures the VPN client settings, potentially redirecting traffic through a malicious server.
6. User connects to the VPN using the modified configuration.
7. All VPN traffic from the user’s machine is now routed through the attacker’s server.
8. Attacker intercepts and monitors the user’s VPN traffic, gaining access to sensitive data.

Impact

Successful exploitation of CVE-2021-47961 allows attackers to gain unauthorized access to sensitive data transmitted through the VPN connection. The number of victims is dependent on the number of deployments using the vulnerable Synology SSL VPN client version prior to 1.4.5-0684. Sectors utilizing Synology SSL VPN clients for remote access are particularly at risk. A successful attack can lead to data breaches, intellectual property theft, and potential compromise of internal systems.

Recommendation

• Upgrade Synology SSL VPN Client to version 1.4.5-0684 or later to patch CVE-2021-47961.
• Deploy the Sigma rule “Detect Synology VPN Client Configuration File Access” to detect unauthorized access to configuration files.
• Monitor network traffic for unusual VPN connection patterns indicative of traffic redirection, using existing network monitoring tools.

]]>highadvisoryplaintext-passwordvpnsynologyhttps://feed.craftedsignal.io/briefs/2026-02-fortigate-vpn-cve-2023-27997/Sat, 28 Feb 2026 00:46:45 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-fortigate-vpn-cve-2023-27997/IDS alerts indicate a potential exploitation attempt against a Fortigate VPN server using CVE-2023-27997, characterized by repeated GET requests to the /remote/logincheck endpoint originating from a specific IPv6 address.<p>On February 28, 2026, network intrusion detection systems (IDS) flagged suspicious activity indicative of a potential exploit targeting Fortigate VPN servers. The activity involves a series of repeated GET requests directed towards the <code>/remote/logincheck</code> endpoint, a known attack vector associated with CVE-2023-27997. This vulnerability allows unauthenticated attackers to execute arbitrary code via specially crafted requests. The observed traffic originates from the IPv6 address…</p> highadvisoryfortigatevpncve-2023-27997exploitinitial-accesshttps://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/Thu, 26 Feb 2026 07:27:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/Multiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.<p>On February 26, 2026, network intrusion detection systems (IDS) triggered alerts related to potential exploitation attempts targeting Fortigate VPN servers. The alerts highlight suspicious network activity originating from multiple IP addresses, specifically repeated GET requests to the <code>/remote/logincheck</code> endpoint, a known vulnerability associated with CVE-2023-27997. This vulnerability could allow unauthorized access to the VPN. Additionally, an IPv4 address was observed using a suspicious…</p> highadvisoryfortigatevpncve-2023-27997exploitnetwork