Hackers Targeting Check Point Remote Access VPN Devices to Infiltrate Business Networks

Check Point Software Technologies has recently warned about hackers trying to break into business networks by attacking their Remote Access VPN devices. This highlights how hackers are increasingly targeting remote-access VPNs as a way to access corporate systems.

Check Point’s Remote Access VPN is part of all its network firewalls, allowing secure connections to corporate networks through VPN clients or web-based SSL VPN portals. However, hackers are now focusing on security gateways that use outdated local accounts with only password authentication, which is not very secure without additional certificate authentication.

The company found that by May 24, 2024, there were a few attempts to log in using old VPN accounts that only had password protection. This is part of a larger trend, showing a simple method for unauthorized access.

A Check Point spokesperson mentioned three such attempts initially, and further investigation found similar patterns in other cases, stressing the need for better security.

Recommendations and Preventative Measures To prevent these attacks, Check Point has provided several recommendations:

1. Check for Vulnerable Accounts: Customers should review their systems for local accounts and identify those using only password authentication.
2. Disable Unused Accounts: If local accounts are not needed, they should be disabled to prevent potential misuse.
3. Enhance Authentication Methods: For active accounts, adding another layer of security, like certificate authentication, is recommended.
4. Deploy Security Gateway Hotfix: Check Point has released a hotfix that blocks local accounts from using just a password to log in. This ensures that accounts with weak password-only protection cannot access the Remote Access VPN.

Check Point is not alone in facing these threats. In April 2024, Cisco also warned about widespread attacks targeting VPN and SSH services on devices from multiple vendors, including Check Point, SonicWall, Fortinet, and Ubiquiti. These attacks, often using TOR exit nodes and other anonymizing tools, have been part of a larger campaign since March 18, 2024.

Cisco's warnings included reports of password-spraying attacks linked to the “Brutus” malware botnet, which controlled over 20,000 IP addresses across cloud services and residential networks. Additionally, the state-backed hacking group UAT4356 has been exploiting zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls to breach government networks globally since November 2023.

The increase in VPN attacks highlights the urgent need for strong security measures. Check Point’s proactive steps, like releasing a hotfix and providing detailed security recommendations, aim to reduce the risks from these advanced cyber threats. Businesses are urged to follow these guidelines carefully to protect their networks from unauthorized access and potential breaches.

For more detailed advice on improving VPN security and handling unauthorized access attempts, customers can check Check Point’s support documents and reach out to their technical support team for help.