Oasis Ticket Sales Scams: How to Stay Safe
During our weekly meetings with the banking industry and Police Scotland, we continue to see a significant increase in ticket scams over the last three…
Check Point VPN Vulnerability
Introduction
Recently, Check Point has reported targeted attacks on their Remote Access VPN devices, causing concern for many businesses that rely on these networks for secure remote access. Attackers are exploiting old, insecure local accounts to breach these systems.
Background of the Threat
On May 27, 2024, Check Point issued an advisory warning of an ongoing campaign targeting their Remote Access VPN devices. This campaign is not isolated; it follows a series of similar attacks on various cyber security vendors. Attackers are leveraging old local accounts with insecure password-only authentication to breach security gateways.
Tactics, Techniques, and Procedures (TTPs)
The primary tactic involves targeting security gateways with outdated local accounts. These accounts often rely on password-only authentication, which is highly vulnerable to brute force and password-spraying attacks. In some cases, attackers have been able to identify and exploit these weak points to gain initial access.
The techniques used in these attacks include:
- Credential Brute-Forcing: Repeated attempts to guess the correct username and password combination.
- Password Spraying: Using common passwords across many accounts to avoid detection from rapid, repeated login attempts on a single account.
- Use of Anonymisation Tools: Attackers use TOR exit nodes and other proxies to mask their origin, making it difficult to trace the attack back to its source.
Preventive Measures
Check Point has provided several recommendations and solutions to mitigate these attacks:
- Update Authentication Methods: Shift from password-only authentication to more secure methods such as multi-factor authentication (MFA) or certificate-based authentication.
- Install Security Gateway Hotfix: A hotfix has been released to block local accounts from authenticating with passwords alone. Ensure this is installed across all relevant systems.
- Regular Account Audits: Conduct thorough checks on all local accounts to identify any that use insecure authentication methods. Disable any that are not in use.
- Monitor and Configure Properly: Use Check Point’s support documents to properly configure and monitor your VPN settings to ensure they meet the latest security standards.
Responding to an Attack
If you suspect or have identified that your system has been compromised, take the following steps immediately:
- Isolate Affected Systems: Disconnect the compromised systems from the network to prevent further unauthorised access.
- Change All Credentials: Update all passwords and switch to more secure authentication methods.
- Conduct a Thorough Investigation: Engage your incident response team to perform a detailed analysis of the breach, including understanding the extent of the compromise and the TTPs used.
- Apply Security Patches: Ensure all systems are up-to-date with the latest security patches and hotfixes provided by Check Point or other relevant vendors.
- Contact Check Point Support: Reach out to Check Point technical support for further assistance and to report the breach.
The targeting of Check Point Remote Access VPNs highlights the critical need for robust cyber security practices and proactive measures. By enhancing authentication methods, regularly auditing accounts, and staying updated with the latest security patches, enterprises can significantly reduce the risk of such attacks.
Related articles
Alert: Unpatched Microsoft Office Vulnerability Exposes NTLM Hashes
Microsoft has recently disclosed a significant security vulnerability affecting multiple versions of its Office suite, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft…
Public Alert: Windows 11 End of Support – Action Required
Microsoft has issued an important reminder that multiple editions of Windows 11 will reach the end of their support lifecycle on 8 October 2024. This…