TL;DR - Hackers are targeting Check Point VPN devices, exploiting old local accounts with insecure password-only authentication. Check Point has released a hotfix to mitigate this risk and recommends using multi-factor authentication. Similar attacks have been observed on other VPN devices from Cisco, SonicWall, and Fortinet. Enterprises should enhance their VPN security by updating authentication methods and monitoring for unauthorized access.

Cyber threats continue to evolve, with attackers increasingly targeting Virtual Private Networks (VPNs) to infiltrate enterprise networks. Recently, Check Point VPN devices have come under attack, highlighting the urgent need for robust security measures in remote access solutions.

Details of the Attack

Check Point's Remote Access VPN, integrated into its network firewalls, provides secure access to corporate networks. However, attackers have identified vulnerabilities in these devices, particularly those using outdated local accounts with insecure password-only authentication methods. Between May 24, 2024, and the present, Check Point has observed a series of unauthorized login attempts exploiting these weaknesses.

The attackers primarily target security gateways that rely solely on password authentication, which is less secure compared to methods that incorporate certificates. Check Point has recorded a small but significant number of such attempts, indicating a troubling trend.

Impact and Vulnerabilities

The core issue lies in the use of old local accounts that depend on password-only authentication. This method is vulnerable to brute-force attacks and other forms of unauthorized access. If exploited, these vulnerabilities could allow attackers to infiltrate enterprise networks, potentially leading to data breaches, system compromises, and further cyber espionage activities.

Response and Mitigation Measures

In response to these attacks, Check Point has released a hotfix for its Security Gateway. This update blocks local accounts from authenticating with a password alone, thus mitigating the risk. Customers are strongly advised to implement this hotfix and review their authentication methods. Switching to more secure options, such as multi-factor authentication (MFA) or certificate-based authentication, is crucial.

Broader Context

This campaign against Check Point VPNs is part of a larger wave of attacks targeting VPN devices from multiple vendors, including Cisco, SonicWall, Fortinet, and Ubiquiti. Earlier this year, Cisco reported extensive credential brute-forcing and password-spraying attacks on their VPN services. Security researcher Aaron Martin linked these activities to the Brutus botnet, which controls thousands of IP addresses and employs sophisticated evasion techniques.

Additionally, state-backed hacking groups, such as APT29 (associated with Russian intelligence), have been exploiting vulnerabilities in VPN and firewall devices for cyber espionage. These attacks underscore the importance of securing remote access infrastructure against increasingly advanced threats.

Recommendations for Enterprises

To protect against these threats, enterprises should:

• Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification.
• Use Certificate-Based Authentication: Replace or supplement passwords with digital certificates to ensure secure authentication.
• Regularly Update and Patch Systems: Apply the latest security updates and patches to all network devices.
• Monitor for Unauthorized Access: Set up robust monitoring systems to detect and respond to suspicious login attempts promptly.
• Conduct Security Audits: Regularly review and audit security configurations to identify and mitigate vulnerabilities.

The ongoing attacks on Check Point VPNs highlight the persistent and evolving nature of cyber threats. Enterprises must prioritize the security of their remote access solutions by adopting advanced authentication methods and staying vigilant against potential breaches. By taking proactive measures, organizations can better protect their networks and sensitive data from these sophisticated attacks.

FAQs

What are Check Point VPN devices and their primary use?

‍Check Point VPN devices provide secure remote access to corporate networks, allowing employees to connect safely from remote locations.

What specific vulnerabilities are being exploited in these attacks?

‍Attackers are exploiting old local accounts with password-only authentication methods, which are less secure and more susceptible to unauthorized access.

What steps has Check Point taken to mitigate these attacks?

‍Check Point has released a hotfix that blocks local accounts from using password-only authentication and recommends customers switch to more secure methods.

How can enterprises enhance their VPN security posture?

‍Enterprises should implement multi-factor authentication, use certificate-based authentication, regularly update and patch systems, and monitor for unauthorized access.

What are some common signs of VPN attacks enterprises should watch for?

‍Signs include unusual login attempts, increased authentication failures, and alerts from security monitoring systems indicating potential unauthorized access.