close
close

Attackers probe Check Point remote access VPN devices

Posted on by darion

Attackers are trying to gain access to Check Point VPN devices through local accounts protected only by passwords, the company warned on Monday.

Their ultimate goal is to use this access to discover and pivot to other enterprise resources and users and achieve persistence in enterprise environments.

Attacks on VPN and other services

In mid-April 2024, Cisco Talos warned of a global increase in brute-force attacks on VPN services, web application authentication interfaces, and SSH services.

The targets of these attacks were devices from Cisco, Check Point, Fortinet and Sonicwall (VPN), as well as MiktroTik, Draytek and Ubiquiti.

The attempts came from IP addresses associated with proxy services and included combinations of most likely usernames and common passwords such as “Passw0rd”, “qwerty”, “test123”, etc.

The usernames used fall into one of several categories:

  • az initials of first names + common surnames, e.g. “cwilliams”, “jgarcia”, “msmith”
  • Common names such as “Mary”, “Brian”, “Leon”, etc.
  • Role/service words: “test.user”, “superadmin”, “cloud”, “ftpadmin”, “backupuser”, “vpn”, etc.

Check Point now says it has also seen recent breaches of VPN solutions, including those from various cybersecurity vendors.

“In light of these events, we are monitoring attempts to gain unauthorized access to Check Point customers’ VPNs. Through May 24, 2024, we detected a small number of login attempts using old local VPN accounts based on a non-recommended password-only authentication method.”

Attack prevention

The good news is that these attacks can be easily thwarted by:

  • Disabling local accounts (if not in use)
  • Adding another layer of authentication (e.g. certificates) or
  • Install a patch that blocks internal users from logging in to Remote Access VPN using a password as the only authentication factor.

“Password-only authentication is considered a non-favorable method of ensuring the highest level of security, and we recommend that you do not rely on it when logging into your network infrastructure,” Check Point stated, and offered additional advice on how to improve your VPN security posture and investigate unauthorized access attempts.