Check Point Software Technologies released a new threat advisory on Monday that warns of malicious groups’ increased interest in targeting Remote Access VPN devices as an entry point and attack vector into enterprises.
For those unaware, Check Pointโs Remote Access VPN (Virtual Private Network) offers users secure, seamless remote access to apps and data that reside in the corporate data center and headquarters when traveling or working remotely. It encrypts all traffic users send and receive.
Security researchers at Check Point Software Technologies, a leading provider of cyber security solutions to corporate enterprises and governments globally, said that threat actors are interested in gaining access to organizations through remote-access setups.
This can help them find significant enterprise assets and users and look for vulnerabilities to gain persistence on key enterprise assets.
“We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers,โ the company said in the advisory.
According to Check Point, the company was able to identify a small number of login attempts by May 24, 2024, that were using old VPN local accounts with password-only authentication, a method considered insecure without the extra layer of certificate authentication.
“We’ve seen 3 such attempts, and later when we further analysed it with the special teams we assembled, we saw what we believe are potentially the same pattern (around the same number). So – a few attempts globally all in all but enough to understand a trend and especially- a quite straightforward way to ensure its unsuccessful,” a Check Point spokesperson told BleepingComputer.
To address these unauthorized remote access attempts, Check Point has issued severalย preventative measures for its customers:
- Check for vulnerable accounts on Quantum Security Gateway and CloudGuard Network Security products and on Mobile Access and Remote Access VPN software blades;
- Change the user authentication method to more secure options;
- Delete unused and vulnerable local accounts from the Security Management Server database;
- Utilize Check Pointโs Security Gateway Hotfix to improve the overall security of the product by blocking local accounts that use Check Point passwords as the only authentication factor.
For detailed information on improving VPN security and guidance on responding to unauthorized access attempts, customers can check out Check Pointโs support article or contact their technical support center.
Check Point is not the first company whose VPN devices are being targeted in ongoing attacks.
In April 2024, Cisco also warned about a surge in brute-force attacks affecting VPN and SSH services, including Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Miktrotik, Draytek, and Ubiquiti.
This campaign started at least March 18, 2024, with the attacks originating from TOR exit nodes and a range of other anonymizing tunnels and proxies to prevent blocks.