Hackers attack VPN devices with remote access to Check Point

Check Point Software Technologies recently issued an advisory regarding an ongoing campaign by threat actors to breach corporate networks by attacking remote access VPN devices.

This development underscores the growing interest of malicious groups in using remote access VPN environments as entry points into corporate infrastructures.

Check Point Remote Access VPN is integrated with all Check Point firewalls, providing secure access to corporate networks via VPN clients or web-based SSL VPN portals.

However, attackers are focusing on security gateways with outdated local accounts that rely solely on password authentication, a method considered insecure without an additional layer of certificate authentication.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The company said that through May 24, 2024, it had identified a small number of login attempts using old local VPN accounts with password-only authentication.

These attempts were part of a broader global trend pointing to a simple method of unauthorized access.

“A Check Point spokesperson initially disclosed three such attempts, and further review revealed a similar pattern in other cases, highlighting the need for enhanced security measures.”

Recommendations and preventive measures

To counteract these attacks, Check Point has issued several recommendations to its customers:

1. Check for vulnerable accounts: Customers are advised to review their systems for local accounts, determine their use, and identify those that rely solely on password authentication.
2. Disable unused accounts: If local accounts are not being used, it is best to disable them to prevent potential exploitation.
3. Improve authentication methods: For accounts that need to remain active, it is recommended to add another layer of authentication, such as certificates, to increase security.
4. Deploy the Security Gateway patch: Check Point has released a patch to its security gateway that blocks password-only authentication for all local accounts. This solution prevents accounts with weak password-only authentication from logging in to the remote access VPN.

Check Point is not the only company facing such threats. In April 2024, Cisco also warned of widespread credential brute-force attacks targeting VPN and SSH services on devices from multiple vendors, including Check Point, SonicWall, Fortinet, and Ubiquiti.

These attacks, originating from TOR exit nodes and other anonymization tools, are part of a broader campaign since March 18, 2024.

Cisco’s warnings included reports of password spraying attacks linked to the “Brutus” malware botnet, which controlled more than 20,000 IP addresses across cloud services and home networks.

Additionally, since November 2023, the state-backed hacking group UAT4356 has been exploiting zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls to breach government networks around the world.

The recent increase in attacks on VPN services highlights the critical need for robust security measures. Check Point’s proactive steps, including the release of a patch and detailed recommendations to improve VPN security posture, are aimed at mitigating the risk posed by these sophisticated cyber threats.

Enterprises are urged to strictly follow these guidelines to protect their networks from unauthorized access and potential breaches.

For more detailed guidance on improving VPN security and responding to unauthorized access attempts, customers can review Check Point’s support documentation and contact the support center for assistance.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service