As cybersecurity evolves, one truth remains painfully overlooked: VPNs are no longer the fortress we thought they once were. During a recent presentation on strengthening multi-factor authentication (MFA), one statistic caught everyone off guard that 55% of ransomware intrusions now originate through perimeter vulnerabilities, including VPNs, according to Japan’s National Police Agency. But this isn’t just a regional issue.
In Europe, recent research from Corvus Insurance as published by Cyber Magazine, shows that VPN vulnerabilities accounted for 28.7% of all ransomware attacks in Q3 2024, making them the leading attack vector. When combined with other perimeter security appliance compromises (like firewalls), the figure rises to 58% of ransomware incidents.
Corvus are not alone.
Statista reports that in Q3 2024, 28.6% of global ransomware attacks used VPNs as the initial access vector — a sharp rise from just 4.8% in Q2.
The Zscaler ThreatLabz 2024 VPN Risk Report found:
- 56% of organizations experienced one or more VPN-related cyberattacks in the past year.
- 42% of respondents identified ransomware as the top threat exploiting VPN vulnerabilities.
- 41% of organizations suffered multiple VPN-related attacks, showing how persistent and severe the issue is.
And yet, many organizations still rely on legacy VPNs with weak or outdated authentication to grant access to their most sensitive systems.
Why? Because nothing has gone wrong for them… yet.
In the security world, that’s not a comfort, it’s a major risk.
VPNs: Trusted Entryways Turned Trojan Horses
VPNs were designed to create a secure tunnel between remote users and corporate networks. But in reality, this tunnel often becomes a highway for attackers once credentials are compromised. Worse still, the traditional VPN model extends a broad layer of network access, often giving users more visibility than they actually need.
This isn’t just theoretical. In one ransomware case we personally know of, an executive fell victim to a phishing attack while traveling. The attackers lay low, undetected on his laptop, until he returned home. Once he connected to his company’s network via a site-to-site VPN, the attackers quietly rode along. As CEO, he had expansive network privileges, and from that single point of entry, the intruders spread laterally.
The result? Widespread encryption, paralyzed systems, and months of damage control.
The lesson is clear: VPNs with inadequate access controls and authentication present a massive vulnerability, particularly for high-privilege users and remote work environments.
MFA Is Not Enough — Especially When It’s Phishable
Multi-Factor Authentication (MFA) is a security method that requires users to verify their identity using two or more factors. Typically something they know (password), something they have (device), or something they are (biometric). While MFA is a critical layer of defence, not all MFA is created equal.
Today’s threat actors are deploying sophisticated adversary-in-the-middle (AiTM) phishing kits like EvilProxy, Tycoon 2FA, and Mamba 2FA that bypass traditional MFA by hijacking session cookies. They don’t need your password — they just need you to verify once, and they’re in.
This is where phishing-resistant MFA becomes essential.
Among phishing-resistant methods, only certificate-based authentication can validate the user before the login screen is ever exposed. FIDO2 keys also offer phishing resistance, but they still allow access to the login interface, which can be mimicked or intercepted. Certificate-based authentication short-circuits phishing attempts by verifying authenticity at the gate, not the door.
And it’s not just phishing. MFA fatigue attacks, where users are bombarded with push notifications until they approve one, are on the rise. Microsoft observed 6,000 MFA fatigue attempts per day over the past year, and 1% of users will blindly accept the very first unexpected MFA prompt.
What Should Companies Do?
Let’s be clear: VPNs aren’t inherently bad. But using them as a one-size-fits-all access solution is increasingly dangerous. A more practical, modern approach involves:
- Strong authentication: Prioritize certificate-based authentication over passwords and time-based codes. It’s phishing-resistant and can be deployed with user convenience in mind.
- Least privilege access: Don’t let remote connections access the entire network. Segmentation is key.
- Purpose-built environments: Solutions like Soliton Secure Workspace (SSW) and Soliton Secure Browser (SSB) offer isolated, tightly controlled environments ideal for contractors, third-party access, or remote staff, especially those on personal or BYOD devices. These can be used as part of a Zero Trust implementation.
- Air-gapped fallback: For ultra-sensitive systems, Soliton OneGate enables air-gapped access with enforced MFA and session monitoring.
Zero Trust: A Mindset Shift
The transition away from VPNs aligns with the Zero Trust principle of “never trust, always verify”. Unlike VPNs, which operate on a “trust, but verify” model, Zero Trust assumes that every user, device, and connection could be compromised, and enforces verification at every step.
Soliton’s approach emphasizes practical, enforceable authentication strategies that match the real-world attack landscape. Because security only matters if it works under pressure.
Final Thought
Attackers today don’t need brute force. They rely on subtlety, phishing, exploiting VPN credentials, or MFA fatigue to slip in undetected. Once inside, if your network model assumes trust, you’ve already lost.
It’s time for companies to stop waiting for an incident to drive change. The smarter move?
Act like you've already been breached — and make it as hard as possible for an attacker to go anywhere from there.
