Cybercrime
,
Endpoint Security
,
Fraud Management & Cybercrime
Criminal and Nation-State Focus on Network Edge Devices Continues, Researchers Warn
Attackers are escalating attempts to compromise poorly secured virtual private networks to gain remote, initial access to enterprise networks.
See Also: Guide to Strengthening Mainframe Security
“Over the past few months, we have observed increased interest of malicious groups in leveraging remote access VPN environments as an entry point and attack vector into enterprises,” Check Point Software Technologies said Monday in a security alert.
The warning from the security vendor comes in the wake of data showing attackers are focused on exploiting edge devices – not just poorly secured VPNs but also firewalls and remote access protocols. Cyber insurer Coalition reported that while edge devices remain a critical security defense, its 2023 claims data shows that having “boundary devices with known vulnerabilities increased the likelihood of a business experiencing a cyber claim” (see: The Peril of Badly Secured Network Edge Devices).
Check Point said its telemetry shows VPN products from numerous vendors are being targeted, including its own devices. The company said it has stepped up monitoring efforts to track attackers’ evolving tactics and assembled incident response and technical support teams to notify and assist targeted customers.
“Attackers are motivated to gain access to organizations over remote access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities to gain persistence on key enterprise assets,” it said. “We have recently witnessed compromised VPN solutions, including various cybersecurity vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers.”
On that front, Check Point reported recently seeing “a small number of login attempts using old VPN local accounts relying on unrecommended password-only authentication method.”
A spokesperson told Bleeping Computer that the attack pattern so far amounted to “a few attempts globally all in all but enough to understand a trend” – one that’s easy to block.
The vendor recommends organizations immediately find and disable any local account they may have set to allow password-only access.
Such accounts can exist in the company’s Security Gateways, including the Quantum Security Gateway and CloudGuard Network Security products, and specifically in the software blades – aka modules – named Mobile Access and Remote Access VPN. “Remote access is integrated into every Check Point network firewall,” the company’s website says. “Configure client-to-site VPN or set up an SSL VPN Portal to connect from any browser.”
The firm released detailed instructions for finding and disabling all local accounts set to only use passwords, including a script that can be used to hunt them down, as well as details of how to delete these user accounts from the Security Management Server database. The company also released a security hotfix that can be installed in Security Gateways to block any local account from being able to use password-only authentication to log into a remote access VPN.
Other authentication options are available, including sending users a one-time password via SMS message or email, requiring users to enter their operating system password, using a RADIUS or TACACS server to provide the user with a response they must enter to a challenge, using a SoftID – the software version of RSA’s SecurID – or other one-time password cards or USB tokens, or using various third-party authentication modules, including ones that use biometrics.
Edge Devices Under Fire
This isn’t the first alert in recent months about how attackers are targeting public-facing VPNs.
Google Cloud’s Mandiant threat intelligence unit recently warned that state-sponsored attackers have increased their focus on exploiting edge devices, including firewalls, VPNs and email filters, in part because they can be tough for defenders to properly monitor (see: State Hackers’ New Frontier: Network Edge Devices).
Fresh campaigns continue to come to light. Last month, Cisco warned that beginning late last year, nation-state hackers began targeting its firewall appliances, seeking to install malware and exfiltrate data as part of a campaign it dubbed “Arcane Door.” Cisco’s Talos threat intelligence group reported that the campaign affected “a small set of customers,” all in the government sector (see: Cisco Fixes Firewall 0-Days After Likely Nation-State Hack).
Brutus Botnet
Also last month, Cisco advised customers using remote VPN services to lock them down in light of a flurry of password-spraying attacks in which attackers attempted to use the same password to authenticate to many different public-facing accounts.
Security researcher Aaron Martin in March highlighted a likely link between these attacks and a previously undocumented, malware-spewing botnet he and fellow researcher Chris Grube dubbed Brutus, on account of its “bizarre brute-force activity.”
The botnet appeared to be built from an array of infected devices, including various virtual machines, and compromised Windows and Linux systems, as well as “obscure IoT devices,” Martin said.
The botnet was cycling through 20,000 IP addresses globally to target public-facing SSL VPN appliances from not just Cisco but also Fortinet, Palo Alto Networks and SonicWall, as well as an array of public-facing web applications that use Active Directory for authentication.
“The one thing everyone is seeing are these unique, nondisclosed accounts being brute-forced,” he said, which raises questions about whether attackers might be targeting a zero-day exploit or using lists of accounts obtained via another breach.
Part of the botnet’s bizarre behavior was its seemingly mindless persistence. “We’re seeing roughly six attempts before a new IP steps in and starts trying. From there, it’s just rinse and repeat,” he said. “There’s not any distinct location for the botnet either – countries ranging from the U.S., U.K., Russia, China, Netherlands, etc. – and it’s random locations, i.e., business offices in Brooklyn, Azure, AWS, residential locations.”
Martin said the identity of whoever is running Brutus remains unclear although there is circumstantial evidence in the form of two IP addresses previously seen in attacks attributed to APT29, aka Midnight Blizzard – formerly Nobelium – and Cozy Bear. Researchers have tied the group to the Russian Foreign Intelligence Service, which Western intelligence has blamed for major attacks against the likes of SolarWinds, Microsoft and others (see: After Microsoft Suffers Mega-Breach, What Can Customers Do?).