May 27, 2024 at 02:24PM
Check Point warns of ongoing campaign targeting Remote Access VPN devices, affecting enterprise networks. Attackers exploit old local accounts’ insecure password-only authentication. Check Point advises customers to secure accounts and install a hotfix to block login attempts using password-only authentication. Cisco also reported credential brute-forcing attacks on VPN and SSH services.
Based on the meeting notes, the key takeaways are:
1. Threat actors are targeting Check Point Remote Access VPN devices in an ongoing campaign to breach enterprise networks.
2. Attackers are focusing on security gateways with old local accounts using insecure password-only authentication, emphasizing the importance of using certificate authentication to prevent breaches.
3. Steps for customers to defend against these ongoing attacks include checking for vulnerable accounts and changing user authentication methods to more secure options, as well as deleting vulnerable local accounts from the Security Management Server database.
4. Check Point has released a Security Gateway hotfix to block all local accounts from authenticating with a password, preventing logins with weak password-only authentication.
5. The attacks on VPN devices are not limited to Check Point, as Cisco has also warned about widespread credential brute-forcing attacks targeting VPN and SSH services on various devices.
6. Security researcher Aaron Martin linked a wave of password-spraying attacks to an undocumented malware botnet called “Brutus,” which controlled at least 20,000 IP addresses across cloud services and residential networks.
These takeaways highlight the urgency for customers to take immediate action to secure their VPN devices and protect against potential breaches.