Attackers target poorly secured VPNs

Cybercrime, endpoint security, fraud management and cybercrime

Researchers warn that criminals and nation states remain focused on network edge devices

Mathew J. Schwartz (euroinfosec) •
May 28, 2024

Check Point Alert: Attackers Target Poorly Secured VPNs
Hackers scan the Internet for poorly secured VPNs. (Photo: Shutterstock)

Attackers are increasing their attempts to compromise poorly secured virtual private networks to gain remote initial access to corporate networks.

See also: A guide to hardening mainframe security

“Over the past several months, we have seen increased interest from malicious groups in using remote access VPN environments as an entry point and attack vector into enterprises,” Check Point Software Technologies said in a security alert on Monday.

The security vendor’s warning comes after data shows attackers are focusing on exploiting edge devices – not just poorly secured VPNs, but also firewalls and remote access protocols. The Coalition of Cyber ​​Insurers reported that while edge devices remain a key part of security defenses, 2023 claims data shows that having “edge devices with known security vulnerabilities increases the likelihood that a company will experience a cyber claim” (see: The danger of poorly secured network edge devices).

Check Point said its telemetry data shows VPN products from multiple vendors are being targeted, including its own devices. The company said it has intensified monitoring efforts to track attackers’ evolving tactics and has established incident response and technical support teams to notify and assist targeted customers.

“Attackers are motivated to gain access to organizations via remote access configurations to attempt to discover relevant enterprise assets and users, searching for vulnerabilities, and obtain persistence of key enterprise assets,” it said. “We recently witnessed a breach of VPN solutions, including from various cybersecurity providers. In light of these events, we are monitoring attempts to gain unauthorized access to Check Point customers’ VPNs.”

In this regard, Check Point recently reported seeing “a small number of login attempts using old local VPN accounts based on a non-recommended password-only authentication method.”

A spokesperson told Bleeping Computer that the attack pattern so far included “a total of a few attempts around the world, but enough to understand the trend” – one that could be easily blocked.

The provider recommends that organizations immediately find and disable any local accounts that they have configured to allow password-only access.

Such accounts may exist in enterprise security gateways, including Quantum Security Gateway and CloudGuard Network Security products, and especially in software modules – or modules – called Mobile Access and Remote Access VPN. “Remote access is integrated with every Check Point firewall,” the company’s website says. “Set up a client-to-site VPN or configure an SSL VPN portal to connect from any browser.”

The company has published detailed instructions on how to find and disable all local accounts configured to use only passwords, including a script that can be used to look for them, as well as details on how to remove these user accounts from the Security Management Server database. The company has also released a security patch that can be installed on Security Gateways to block any local account from using password authentication to log into a remote access VPN.

Other authentication options are available, including sending users a one-time password via SMS or email, requiring users to enter the password into the operating system, using a RADIUS or TACACS server to provide the user with the answer they must enter to the challenge, using SoftID – a version of RSA’s SecurID software – or other cards with one-time passwords or USB tokens or using various third-party authentication modules, including biometrics.

Edge devices under fire

This isn’t the first alert in recent months about how attackers are targeting public VPNs.

Google Cloud’s Mandiant Threat Intelligence Unit recently warned that state-sponsored attackers are increasing their focus on exploiting edge devices, including firewalls, VPNs and email filters, in part because defenders may have difficulty properly monitoring (see: The new frontier of stateful hackers: network edge devices).

New campaigns are constantly coming to light. Last month, Cisco warned that since late last year, nation-state hackers had begun targeting the company’s firewall devices, trying to install malware and extract data in a campaign it dubbed “Arcane Door.” Cisco’s Talos threat intelligence group reported that the campaign affected a “small group of customers,” all in the government sector (see: Cisco fixes firewall 0 days after possible nation-state hack).

Brutus botnet

Also last month, Cisco advised customers using remote VPN services to block them in light of a series of password spray attacks in which attackers tried to use the same password to authenticate across multiple different public accounts.

Security researcher Aaron Martin in March highlighted a likely connection between these attacks and a previously undocumented malware-spreading botnet that he and colleague Chris Grube dubbed Brutus for its “bizarre brute-force activity.”

The botnet appears to have been built from a number of compromised devices, including various virtual machines, infected Windows and Linux systems, as well as “unknown IoT devices,” Martin said.

The botnet flowed through 20,000 IP addresses around the world to attack public SSL VPN devices from not only Cisco, but also Fortinet, Palo Alto Networks and SonicWall, as well as a number of public web applications that use Active Directory for authentication.

“The only thing everyone can see is that these unique, undisclosed accounts are being brute forced,” he said, raising questions about whether attackers may be targeting a zero-day exploit or using account lists obtained from another breach.

Part of the botnet’s bizarre behavior was its seemingly mindless persistence. “We’ve seen about six attempts before a new IP comes in and starts trying. Then it’s just rinse and repeat,” he said. “There is also no specific location for the botnet – in different countries – from the US, UK, Russia, China, Netherlands, etc. – these are random locations, i.e. business offices in Brooklyn, Azure, AWS, or residential locations.”

Martin said the identity of who runs Brutus remains unclear, although there is circumstantial evidence in the form of two IP addresses previously seen in attacks attributed to APT29, also known as Midnight Blizzard – formerly Nobelium – and Cozy Bear. Researchers have linked the group to the Russian Foreign Intelligence Service, which Western intelligence blames for major attacks on companies such as SolarWinds, Microsoft and others (see: What can customers do after Microsoft suffers a major breach?).