VPN Devices Under Attack: Shift to Multi-Factor Authentication
Publicly exposed VPN devices increasingly become cyberattack targets, significantly enlarging the attack surface (see here). Zero-day vulnerabilities in internet-facing devices are now being exploited even before the vendor is aware of the bug, let alone a patch is available. But even without an exploitable zero-day, attackers are actively searching for ways to get into organizational networks.
As a case in point, Checkpoint has recently warned of widespread login attempts trying to brute force password-only protected accounts in its VPN products - see full blog post here.
So what are the key takeaways?
First, it's worth noting Checkpoint is here relying on customer-approved telemetry, which means many other customers could be victims without the vendor being notified. Again, this stresses the need for closer vendor-managed infrastructure, a route taken by many vendors with the SASE architecture and managed services (for ex. see here). Delivering patches and hoping the customers will install them in time is not feasible anymore.
Second, password-only authentication should not exist on any public-facing asset such as a VPN gateway. In this case, Checkpoint recommends not to rely on passwords when logging in to network infrastructure - but will customers listen? That's the reason the vendor is also releasing patches that disable one-factor local account logins (i.e. password only).
It's time to make multi-factor authentication the default, as cloud providers are already doing (Google, Azure, AWS), since they've also been massively targeted by brute force attacks, credential stuffing, and of course phishing.
If you still rely on password-only authentication for remote VPN access, you will be (or are already) breached.
