Hackers Attacking Check Point Remote Access VPN Devices to Breach Enterprise Networks

Check Point Software Technologies recently issued an advisory regarding an ongoing campaign by threat actors to breach enterprise networks by targeting Remote Access VPN devices.

This development underscores the growing interest of malicious groups in exploiting remote-access VPN environments as entry points into corporate infrastructures.

Check Point’s Remote Access VPN is integrated into all its network firewalls, providing secure access to corporate networks via VPN clients or web-based SSL VPN portals.

However, attackers have been focusing on security gateways with outdated local accounts that rely solely on password authentication, a method deemed insecure without the additional layer of certificate authentication.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The company reported that by May 24, 2024, they had identified a small number of login attempts using old VPN local accounts with password-only authentication.

These attempts were part of a broader global trend, indicating a straightforward method for unauthorized access.

“A Check Point spokesperson revealed three such attempts initially, and further analysis suggested a similar pattern in other cases, underscoring the need for enhanced security measures”.

Recommendations and Preventative Measures

To counter these attacks, Check Point has issued several recommendations for its customers:

1. Check for Vulnerable Accounts: Customers are advised to inspect their systems for local accounts, determine their usage, and identify any that rely solely on password authentication.
2. Disable Unused Accounts: If local accounts are not in use, it is best to disable them to prevent potential exploitation.
3. Enhance Authentication Methods: For accounts that must remain active, adding another layer of authentication, such as certificates, is recommended to bolster security.
4. Deploy Security Gateway Hotfix: Check Point has released a hotfix for its Security Gateway that blocks all local accounts from authenticating with just a password. This measure ensures that accounts with weak password-only authentication cannot log into the Remote Access VPN.

Check Point is not the only company facing such threats. In April 2024, Cisco also warned about widespread credential brute-forcing attacks targeting VPN and SSH services on devices from multiple vendors, including Check Point, SonicWall, Fortinet, and Ubiquiti.

These attacks, originating from TOR exit nodes and other anonymization tools, have been part of a broader campaign since March 18, 2024.

Cisco’s warnings included reports of password-spraying attacks linked to the “Brutus” malware botnet, which controlled over 20,000 IP addresses across cloud services and residential networks.

Additionally, the UAT4356 state-backed hacking group has been exploiting zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls to breach government networks globally since November 2023.

The recent surge in attacks on VPN services underscores the critical need for robust security measures. Check Point’s proactive steps, including releasing a hotfix and detailed recommendations for enhancing VPN security posture, aim to mitigate the risks posed by these sophisticated cyber threats.

Enterprises are urged to follow these guidelines diligently to protect their networks from unauthorized access and potential breaches.

For more detailed guidance on improving VPN security and responding to unauthorized access attempts, customers can refer to Check Point’s support documentation and contact their technical support center for assistance.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service