Check Point warns customers to patch VPN vulnerability under active exploitation
Also, free pianos are the latest internet scam bait, Cooler Master gets pwned, and some critical vulnerabilities
Infosec in brief Cybersecurity software vendor Check Point is warning customers to update their software immediately in light of a zero day vulnerability under active exploitation.
Check Point announced early last week that it had detected "a small number of login attempts" targeting some of its customers' VPN environments. The company later said it discovered the root cause, assigned a CVE (CVE-2024-24919, CVSS 8.6), and urged customers to update their software as soon as possible.
The vulnerability affects Check Point's CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances. Those with Remote Access VPN, also called the "Mobile Access Blade," enabled are vulnerable.
Check Point didn't give much explanation of the vulnerability, but did say it involves attackers "using old VPN local-accounts relying on unrecommended password-only authentication method."
"Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure," Check Point added.
Patches are available for all affected systems. Check Point said on the patch page that successful exploitation of the vulnerability could result in an attacker accessing sensitive information on a security gateway, and could allow an attacker to move laterally with domain administrator privileges.
Threat intelligence firm Mnemonic, which said it was contacted by Check Point about the vulnerability, has since discovered it being exploited since late April.
"It is now proven that the vulnerability allows a threat actor to retrieve all files on the local filesystem," Mnemonic said. "This includes password hashes for all local accounts, SSH keys, certificates and other critical files."
Along with installing patches, Check Point recommends that users harden their VPN posture given that the vulnerability relies on exploiting accounts without additional authentication enabled.
A good start would be requiring multiple authentication factors. Check Point also recommends reviewing and removing unnecessary local VPN accounts and ensuring any necessary ones have additional authentication measures added. MFA can be a headache, but do you want a breach on your head?
Critical vulnerabilities: Just asking, but what version are your Linux kernels?
Not to sound the alarm, but that "effortless" Linux kernel root access vulnerability we covered back in March is now under active exploitation.
CISA added CVE-2024-1086 to its known exploited vulnerabilities catalog this week. For those unsure if they're vulnerable, the issue affects any Linux distribution with a kernel version between 5.14 and 6.6.14. Time to check that kernel version and update ASAP.
Elsewhere:
- CVSS 9.8 – multiple CVEs: Westermo EDW-100 serial to Ethernet converters use hard-coded credentials stored in plain text that can easily be extracted and used to compromise the device.
- CVSS 9.4 – CVE-2024-5176: Baxter Welch Allyn's product configuration tool improperly protects credentials, making it easy to steal them and compromise affected devices.
- CVSS 9.3 – multiple CVEs: LenelS2's Netbox event monitoring software versions prior to 5.6.2 use hard-coded passwords, and are available to malicious command injections.
- CVSS 9.1 – CVE-2024-1275: Baxter Welch Allyn Connex Spot Monitor devices are using default cryptography keys, allowing an attacker to tamper with devices and modify software.
- CVSS 8.5 – multiple CVEs: Fuji Electric's Monitouch V-SFT screen configuration software contains OOB write and stack-based buffer overflow vulnerabilities that could allow an attacker to execute arbitrary code.
- CVSS 8.5 – CVE-2023-31468: Inosoft's VisiWin 7 mechanical engineering software uses incorrect default permissions, allowing an attacker to easily gain system privileges.
Sorry, but the free piano probably isn't coming
Internet scammers might be fairly transparent to those who know how to spot them, but let none say they aren't creative.
- Bayer and 12 other major drug companies caught up in Cencora data loss
- Nissan infosec in the spotlight again after breach affecting more than 50K US employees
- Encrypted mail service Proton hands suspect's personal info to local cops
- Germany points finger at Fancy Bear for widespread 2023 hacks, DDoS attacks
To illustrate that, we present a report from security outfit Proofpoint, which said it's been tracking a surprisingly large advanced fee fraud (AFF) scam centered on unloading a "free piano" on their victims.
Spotted primarily targeting university students and faculty in North America, the scam involves an individual offering a free piano due to office downsizing, retirement, family death, or some other excuse. The piano is free, but shipping will have to be paid, naturally.
"How could anyone fall for this?" you ask. Well, one Bitcoin wallet address linked to the scam contains over $900,000. As Proofpoint notes, it's likely being used for a number of different scams so that might not all be shipping money for unsent pianos, but some of it could be.
"If an unsolicited email sounds too good to be true, it probably is," Proofpoint said. Just be glad this one didn't include malware.
Cooler Master spills customer data
Cooler Master, makers of computer components and a variety of uber-leet gamer gear, has been pwned like a noob, with a haxxor claiming to have made off with 103 GB of data from the company's Fanzone support site.
Cooler Master confirmed the incident in a notice posted to its website, saying that its "quick actions" responding to the intrusion meant it "prevented the vast majority of our data and your personal information from being improperly accessed."
The "little consumer data" that "was improperly accessed" still includes names, phone numbers, physical addresses, and credit card information for a "limited" number of loyalty members – some pretty sensitive stuff.
And it's not like it was just a few customers whose data was allegedly stolen. Ghostr, the individual who claimed to have broken into Fanzone and downloaded some of its linked databases, claimed there were more than 500,000 customers' data in the chunk stolen.
Ghostr reportedly said they plan to sell the stolen data on a hacking forum, so if you've ever been a Cooler Master customer, it's a good idea to take appropriate measures to protect your identity. ®