Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Check Point Issues Emergency Patch for Security Gateways

Criminal and Nation-State Focus on Network Edge Devices Continues, Researchers Warn
Check Point Issues Emergency Patch for Security Gateways
Hackers are scanning the internet looking for poorly secured VPNs. (Image: Shutterstock)

Update: Check Point later on Tuesday released an emergency patch to address a vulnerability being exploited in the wild, designated CVE-2024-24919, that exists in security gateways that have Remote Access VPN or the Mobile Access blade enabled. "To remain protected, it is mandatory for customers to install this fix on Check Point network security gateways," the company said in an updated security alert.*

See Also: Guide to Strengthening Mainframe Security

Attackers are escalating attempts to compromise poorly secured virtual private networks to gain remote, initial access to enterprise networks.

"Over the past few months, we have observed increased interest of malicious groups in leveraging remote access VPN environments as an entry point and attack vector into enterprises," Check Point Software Technologies said Monday in a security alert.

The warning from the security vendor comes in the wake of data showing attackers are focused on exploiting edge devices - not just poorly secured VPNs but also firewalls and remote access protocols. Cyber insurer Coalition reported that while edge devices remain a critical security defense, its 2023 claims data shows that having "boundary devices with known vulnerabilities increased the likelihood of a business experiencing a cyber claim" (see: The Peril of Badly Secured Network Edge Devices).

Check Point said its telemetry shows VPN products from numerous vendors are being targeted, including its own devices. The company said it has stepped up monitoring efforts to track attackers' evolving tactics and assembled incident response and technical support teams to notify and assist targeted customers.

"Attackers are motivated to gain access to organizations over remote access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities to gain persistence on key enterprise assets," it said. "We have recently witnessed compromised VPN solutions, including various cybersecurity vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point's customers."

On that front, Check Point reported recently seeing "a small number of login attempts using old VPN local accounts relying on unrecommended password-only authentication method."

"As of May 24, we encountered three attack attempts," Gil Messing, chief of staff at Check Point, told Information Security Media Group. "Upon further analysis by our special teams, we identified what we believe to be a potentially recurring pattern (around the same number). While there have been only a few attempts globally, it's enough to recognize a trend and, more importantly, a straightforward way to ensure it's unsuccessful."*

The company recommends organizations immediately find and disable any local account they may have set to allow password-only access.

Such accounts can exist in the company's Security Gateways, including the Quantum Security Gateway and CloudGuard Network Security products, and specifically in the software blades - aka modules - named Mobile Access and Remote Access VPN. "Remote access is integrated into every Check Point network firewall," the company's website says. "Configure client-to-site VPN or set up an SSL VPN Portal to connect from any browser."

The firm released detailed instructions for finding and disabling all local accounts set to only use passwords, including a script that can be used to hunt them down, as well as details of how to delete these user accounts from the Security Management Server database. The company also released a security hotfix that can be installed in Security Gateways to block any local account from being able to use password-only authentication to log into a remote access VPN.

Other authentication options are available, including sending users a one-time password via SMS message or email, requiring users to enter their operating system password, using a RADIUS or TACACS server to provide the user with a response they must enter to a challenge, using a SoftID - the software version of RSA's SecurID - or other one-time password cards or USB tokens, or using various third-party authentication modules, including ones that use biometrics.

Edge Devices Under Fire

This isn't the first alert in recent months about how attackers are targeting public-facing VPNs.

Google Cloud's Mandiant threat intelligence unit recently warned that state-sponsored attackers have increased their focus on exploiting edge devices, including firewalls, VPNs and email filters, in part because they can be tough for defenders to properly monitor (see: State Hackers' New Frontier: Network Edge Devices).

Fresh campaigns continue to come to light. Last month, Cisco warned that beginning late last year, nation-state hackers began targeting its firewall appliances, seeking to install malware and exfiltrate data as part of a campaign it dubbed "Arcane Door." Cisco's Talos threat intelligence group reported that the campaign affected "a small set of customers," all in the government sector (see: Cisco Fixes Firewall 0-Days After Likely Nation-State Hack).

Brutus Botnet

Also last month, Cisco advised customers using remote VPN services to lock them down in light of a flurry of password-spraying attacks in which attackers attempted to use the same password to authenticate to many different public-facing accounts.

Security researcher Aaron Martin in March highlighted a likely link between these attacks and a previously undocumented, malware-spewing botnet he and fellow researcher Chris Grube dubbed Brutus, on account of its "bizarre brute-force activity."

The botnet appeared to be built from an array of infected devices, including various virtual machines, and compromised Windows and Linux systems, as well as "obscure IoT devices," Martin said.

The botnet was cycling through 20,000 IP addresses globally to target public-facing SSL VPN appliances from not just Cisco but also Fortinet, Palo Alto Networks and SonicWall, as well as an array of public-facing web applications that use Active Directory for authentication.

"The one thing everyone is seeing are these unique, nondisclosed accounts being brute-forced," he said, which raises questions about whether attackers might be targeting a zero-day exploit or using lists of accounts obtained via another breach.

Part of the botnet's bizarre behavior was its seemingly mindless persistence. "We're seeing roughly six attempts before a new IP steps in and starts trying. From there, it's just rinse and repeat," he said. "There's not any distinct location for the botnet either - countries ranging from the U.S., U.K., Russia, China, Netherlands, etc. - and it's random locations, i.e., business offices in Brooklyn, Azure, AWS, residential locations."

Martin said the identity of whoever is running Brutus remains unclear although there is circumstantial evidence in the form of two IP addresses previously seen in attacks attributed to APT29, aka Midnight Blizzard - formerly Nobelium - and Cozy Bear. Researchers have tied the group to the Russian Foreign Intelligence Service, which Western intelligence has blamed for major attacks against the likes of SolarWinds, Microsoft and others (see: After Microsoft Suffers Mega-Breach, What Can Customers Do?).

*Update May 29, 2024 08:35 UTC: This story has been updated to include further details from Check Point.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.