TL;DR - Hackers are targeting Check Point VPN devices, exploiting old local accounts with insecure password-only authentication. Check Point has released a hotfix to mitigate this risk and recommends using multi-factor authentication. Similar attacks have been observed on other VPN devices from Cisco, SonicWall, and Fortinet. Enterprises should enhance their VPN security by updating authentication methods and monitoring for unauthorized access.
Cyber threats continue to evolve, with attackers increasingly targeting Virtual Private Networks (VPNs) to infiltrate enterprise networks. Recently, Check Point VPN devices have come under attack, highlighting the urgent need for robust security measures in remote access solutions.
Details of the Attack
Check Point's Remote Access VPN, integrated into its network firewalls, provides secure access to corporate networks. However, attackers have identified vulnerabilities in these devices, particularly those using outdated local accounts with insecure password-only authentication methods. Between May 24, 2024, and the present, Check Point has observed a series of unauthorized login attempts exploiting these weaknesses.
The attackers primarily target security gateways that rely solely on password authentication, which is less secure compared to methods that incorporate certificates. Check Point has recorded a small but significant number of such attempts, indicating a troubling trend.
Impact and Vulnerabilities
The core issue lies in the use of old local accounts that depend on password-only authentication. This method is vulnerable to brute-force attacks and other forms of unauthorized access. If exploited, these vulnerabilities could allow attackers to infiltrate enterprise networks, potentially leading to data breaches, system compromises, and further cyber espionage activities.
Response and Mitigation Measures
In response to these attacks, Check Point has released a hotfix for its Security Gateway. This update blocks local accounts from authenticating with a password alone, thus mitigating the risk. Customers are strongly advised to implement this hotfix and review their authentication methods. Switching to more secure options, such as multi-factor authentication (MFA) or certificate-based authentication, is crucial.
Broader Context
This campaign against Check Point VPNs is part of a larger wave of attacks targeting VPN devices from multiple vendors, including Cisco, SonicWall, Fortinet, and Ubiquiti. Earlier this year, Cisco reported extensive credential brute-forcing and password-spraying attacks on their VPN services. Security researcher Aaron Martin linked these activities to the Brutus botnet, which controls thousands of IP addresses and employs sophisticated evasion techniques.
Additionally, state-backed hacking groups, such as APT29 (associated with Russian intelligence), have been exploiting vulnerabilities in VPN and firewall devices for cyber espionage. These attacks underscore the importance of securing remote access infrastructure against increasingly advanced threats.
Recommendations for Enterprises
To protect against these threats, enterprises should:
- Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification.
- Use Certificate-Based Authentication: Replace or supplement passwords with digital certificates to ensure secure authentication.
- Regularly Update and Patch Systems: Apply the latest security updates and patches to all network devices.
- Monitor for Unauthorized Access: Set up robust monitoring systems to detect and respond to suspicious login attempts promptly.
- Conduct Security Audits: Regularly review and audit security configurations to identify and mitigate vulnerabilities.
The ongoing attacks on Check Point VPNs highlight the persistent and evolving nature of cyber threats. Enterprises must prioritize the security of their remote access solutions by adopting advanced authentication methods and staying vigilant against potential breaches. By taking proactive measures, organizations can better protect their networks and sensitive data from these sophisticated attacks.