Attackers Target Check Point VPNs to Access Corporate Networks

  /     /     /  
Publicated : 23/11/2024   Category : security


Attackers Target Check Point VPNs to Access Corporate Networks


Using VPNs as an initial access vector is ironic, given that security is the very reason enterprises employ them in the first place.



UPDATE
A vulnerability in Check Point virtual private network (VPN) products could potentially leak information to malicious actors.
In recent months, Check Point researchers have observed an increase in attackers using remote access VPNs as a golden ticket for initial network access. Multiple cybersecurity vendors solutions have been compromised, according to a
March 27 blog post
, which prompted them to look into their own.
On May 28, they discovered an information disclosure vulnerability affecting its security gateways with remote or mobile access enabled. The issue has been labeled CVE-2024-24919.
Thus far, there have only been a handful of cases of attackers attempting to exploit CVE-2024-24919 in the wild. However, while there have been only a few attempts globally, its enough to recognize a trend and, more importantly, a straightforward [cause] to ensure its unsuccessful, Check Point chief of staff Gil Messing told Dark Reading on Tuesday.
Check Point is urging all customers with mobile-enabled VPNs to install a
newly released hotfix
. Customers who only use VPNs site-to-site are also advised to install the fix.
Remote access VPNs are a bit different than the VPNs most people are used to. Where regular ones route an individuals Internet traffic through shared servers in order to conceal their Internet activity, remote access VPNs are used to provide specific individuals with secure access to specific networks. Theyre useful, for instance, in
providing remote workers access
to their employers internal resources.
Theyre also useful for malicious purposes. Rather than having to, say, exploit a publicly facing server, or a zero-day vulnerability, a hacker could use a remote access VPN for clean, unfettered access to an organizations IT environment. From there, they could begin establishing persistence, probing for vulnerabilities, and much more. How, though, do they get access to that VPN connection in the first place?
The easiest way is via insufficiently protected accounts. In the cases Check Point uncovered, attackers attempted to leverage old VPN accounts that were protected only with a single password, but otherwise up for grabs.
To protect user accounts, besides monitoring or even disabling them, Check Point recommended that organizations require authentication checks beyond simple passwords.
Jason Soroko, senior vice president of product at Sectigo, echoes the point. Username and password authentication is below the threshold of basic security, especially when much stronger forms of authentication are available. In addition to being insecure and inefficient, passwords are becoming increasingly inappropriate for many modern enterprise use-cases. This is especially true, he adds, when users end up keeping the usernames and passwords that come with the product by default, making the job of guessing them a cinch.
Instead, he suggests, Many of todays enterprise applications already actively support modern alternatives to passwords by offering certificate-based authentication. Its stronger because its based on an impossible-, or nearly impossible-to-guess secret that is not shared. The user experience is superior because once the user is provisioned, there is nothing for them to do except to initiate the authentication process. The authentication handshake takes place, and the VPN server can then be assured of who is authenticated. Username and password authentication gives no such assurance.
Others go further. This is a stark reminder for organizations to make urgent plans to shift from legacy VPNs to Zero Trust Network Access (ZTNA) solutions, says Venky Raju, Field CTO at ColorTokens. He points to the
latest Ivanti VPN balagan
as an indication of where VPNs naturally fall short.
ZTNA solutions have several advantages over VPNs, he says, chief of which is that ZTNA inherently limits what the end user can access using the principles of least privilege. Also, ZTNA solutions have better integration with the enterprises identity management system, reducing the risk of compromised passwords or misconfigurations.
Besides that, he adds, Organizations should consult vendor documentation and advisories to remove unnecessary or unused features, implement strong authentication, audit all existing default accounts, and establish a patching process.
This article was updated on May 29 at 11:30 a.m. ET, following Check Points disclosure of a CVE, and a patch for it.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attackers Target Check Point VPNs to Access Corporate Networks