Malicious actors are targeting Check Point Remote Access VPN devices as part of an ongoing campaign to hack into corporate networks, the company warned in an advisory published Monday.
Remote access is built into all Check Point network firewalls. It can be configured as a client-to-site VPN for accessing corporate networks via VPN clients or configured as an SSL VPN portal for web access.
Check Point says attackers are targeting security gateways with old on-premises accounts using insecure password-only authentication, which should be used alongside certificate authentication to avoid breaches.
“We have recently witnessed compromised VPN solutions, including those from various cybersecurity vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to Check Point customers’ VPNs. On May 24, 2024, we “We identified a small number of login attempts using legacy local VPN accounts that relied on a non-recommended password-only authentication method,” the company said.
“We saw 3 such attempts, and later when we analyzed it in more detail with the special teams we put together, we saw what we think was potentially the same pattern (around the same number) So – a few attempts in total, but enough to understand a trend and more importantly, a fairly simple way to ensure it fails,” a Check Point spokesperson told BleepingComputer.
To defend against these continued attacks, Check Point has warned its customers to look for such vulnerable accounts on Quantum Security Gateway and CloudGuard Network Security products as well as Mobile Access and Remote Access VPN software blades.
Customers are advised to change the user authentication method to more secure options (following the instructions in this support document) or remove vulnerable local accounts from the Security Management Server database.
The company also released a Security Gateway patch that will prevent all local accounts from authenticating with a password. After installation, local accounts with weak password-only authentication will not be able to connect to the Remote Access VPN.
Customers can find more information about improving their VPN security in this support article, which also shares tips on how to respond to unauthorized access attempts.
Cisco VPN devices are also heavily targeted
Check Point is the second company to warn that its VPN devices are the target of continued attacks in recent months.
In April, Cisco also warned of widespread credential brute force attacks targeting VPN and SSH services on Cisco, Check Point, SonicWall, Fortinet and Ubiquiti devices.
This campaign began around March 18, 2024, with attacks originating from TOR exit nodes and using various other anonymization tools and proxies to evade blocks.
A month earlier, Cisco warned of a wave of password spraying attacks targeting Cisco Secure Firewall devices running Remote Access VPN (RAVPN) services, likely as part of a surveillance activity. first stage recognition.
Security researcher Aaron Martin linked this activity to an undocumented malware botnet he dubbed “Brutus,” which controlled at least 20,000 IP addresses on cloud services and residential networks.
Last month, the company also revealed that state-backed hacking group UAT4356 (aka STORM-1849) was using zero-day bugs in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. ) to hack government networks around the world since. at least in November 2023 as part of a cyberespionage campaign identified under the name ArcaneDoor.
Update May 27, 2:28 p.m.: EDT: Added Check Point declaration.
News Source : www.bleepingcomputer.com
Gn tech
