Attackers were observed targeting remote-access VPNs from “various cybersecurity vendors” as a way to gain entry and exploit vulnerabilities in enterprise networks, according to Check Point Software.
In a May 27 blog post, Check Point researchers said on May 24 they identified a "small number" of login attempts using old VPN local accounts that relied on a password-only authentication method.
“We have assembled special teams of incident response, research, technical services and products professionals which thoroughly explored those and any other potential related attempts,” wrote the Check Point researchers. “Relying on these customers notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.”
The Check Point researchers said that security teams should consider using a certificate-based approach to secure their VPN gateways because the password-only option just doesn’t deliver the level of security enterprise networks need today.
Patrick Tiquet, vice president of security and architecture at Keeper Security, said Check Point’s advisory reminds security teams that enterprises must continually update their authentication methods to ensure they are in line with the latest best practices.
Reliance on password-only authentication is a glaring vulnerability that attackers can easily exploit, said Tiquet, adding that enterprises need to adopt a layered security approach that includes strong authentication methods, regular security assessments, and timely application of security patches.
“Whether a breach occurs through phishing, weak passwords, brute-force password attacks or other means, strengthening authentication mechanisms and reviewing access controls are equally important priorities,” said Tiquet. "When possible, teams should enable multi-factor authentication to help protect against phishing and brute force, among other cyberattacks.”
Jason Soroko, senior vice president of product at Sectigo, added that username and password authentication is now below the threshold of basic security, especially when much stronger forms of authentication are available today. In addition to being insecure and inefficient, passwords are becoming increasingly inappropriate for many modern enterprise use cases, said Soroko.
Soroko pointed out said many of today’s enterprise applications already actively support modern alternatives to passwords by offering certificate-based authentication as the de facto technology to replace passwords for humans and machines.
“I recommend using certificate-based authentication, which leverages digital certificates to successfully authenticate and secure human and machine identities, ahead of granting access to the enterprise network,” said Soroko. “With certificate-based authentication, enterprises can ensure human and machine identities requesting access to the network are legitimate.”
Albert Martinek, customer threat analyst at Horizon3.ai, explained that bad actors don’t typically use sophisticated hacking tools and techniques like zero-day exploits to gain access to a network: they simply log in with legitimate user credentials. Once they gain initial access, Martinek said threat actors then appear as legitimate users and can move laterally within a network to gain further access and establish persistence, steal sensitive data, bring down systems, and/or hold the organization hostage through ransomware.
Martinek pointed that nefarious actors exploit credential requirements in many ways. They can:
- Take advantage of weak password strength requirements or weak account lockout thresholds.
- Capture and then crack hashes.
- Take advantage of accounts that reuse compromised credentials.
- Use the default credentials that remain unchanged in a variety of web applications and systems processes.