Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Lateral movement and VPN exposure: what security teams need to do


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Cisco firewall flaws, SonicWall VPN abuse, SVG phishing, and exposed healthcare databases show a common pattern: attackers exploit entry points, then move laterally, disable protections, and steal data, according to ColorTokens. The decisive control is limiting blast radius, because perimeter failure becomes survivable only when internal movement is contained.

NHIMG editorial — based on content published by ColorTokens: Ransomware Protection Advisory: From Cisco Flaws to SonicWall Breaches

By the numbers:

  • The U.S. government even issued an emergency directive, urging agencies to patch or disconnect vulnerable devices within 24 hours.

Questions worth separating out

Q: What breaks when a compromised VPN or firewall account still has broad internal access?

A: A single exposed credential or device can become a full breach when it can reach backup servers, directory services, and endpoint management tools without friction.

Q: Why do stolen credentials and OTP seeds still defeat MFA in real incidents?

A: MFA fails when the attacker already controls the secret material that the second factor depends on.

Q: What do security teams get wrong about lateral movement prevention?

A: They often treat lateral movement as a detection problem when it is also a design problem.

Practitioner guidance

What's in the full article

ColorTokens' full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on containing lateral movement with microsegmentation across hybrid environments.
  • Specific remediation actions for Cisco ASA/FTD and SonicWall VPN exposure, including prioritisation logic.
  • Practical indicators for spotting post-compromise activity such as RDP, SMB, BloodHound, Impacket, and dsquery usage.
  • Examples of how the advisory connects internal visibility gaps to ransomware spread and data theft.

👉 Read ColorTokens' ransomware protection advisory on Cisco flaws and SonicWall breaches →

Lateral movement and VPN exposure: what security teams need to do?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Perimeter compromise is now an identity problem, not just a network problem. When VPNs and firewalls remain exposed, they become trusted authentication paths into the enterprise, and that trust is exactly what attackers convert into lateral movement. The control question is no longer whether the edge can be attacked, but whether identity-bound access inside the environment is narrowly enough scoped to fail safely. Practitioners should treat exposed remote access as a cross-domain IAM and resilience issue, not a siloed infrastructure ticket.

A few things that frame the scale:

  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The Secret Sprawl Challenge.
  • 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.

A question worth separating out:

Q: How should organisations contain ransomware when exposed devices and stolen credentials are both in play?

A: They should combine rapid edge remediation with internal compartmentalisation. Patch or disconnect exposed devices, then isolate backup, identity, and management systems so compromised access cannot cascade. That approach reduces the chance that one breach path becomes a multi-system incident.

👉 Read our full editorial: Ransomware resilience depends on stopping lateral movement, not just entry



   
ReplyQuote
Share: