Cybercriminals Exploit Check Point VPNs in Ongoing Attack Campaign

Check Point has reported that cybercriminals are targeting Check Point Remote Access VPN devices as part of an ongoing campaign to breach corporate networks.

Remote access is integrated into all Check Point network firewalls. It can be configured as a “client-to-site” VPN for accessing corporate networks via VPN clients or as an SSL VPN for access via the Internet. Hackers are interested in infiltrating organizational networks through remote access configurations, exploiting vulnerabilities to identify enterprise assets and users.

According to Check Point, cybercriminals are targeting security gateways with outdated local accounts using insecure password-only authentication. This method necessitates a combination with certificate authentication to prevent breaches. The company revealed that by May 24, it had identified three login attempts, including into systems of various cybersecurity solution providers and Check Point clients.

To defend against ongoing attacks, Check Point urged clients to check for vulnerable accounts in Quantum Security Gateway and CloudGuard Network Security products, as well as in Mobile Access and Remote Access VPN software blades. Clients are advised to change the user authentication method to more secure options or remove vulnerable local accounts from the Security Management Server database.

The company also released a Security Gateway patch that blocks password authentication for all local accounts. After installing the patch, local accounts with weak authentication will no longer be able to log into Remote Access VPN. Vulnerable local accounts will be locked following the patch installation.

Clients can find additional information on improving their VPN security in the support article, which also provides recommendations for responding to unauthorized access attempts.

Check Point is not the only company to face VPN device attacks in recent months. In April, international cybersecurity was threatened after Cisco Talos experts discovered a large-scale credential stuffing campaign targeting VPN and SSH services of companies such as Cisco, Check Point, Fortinet, SonicWall, and Ubiquiti.

At the end of March 2024, Cisco had already warned of a wave of attacks targeting remote VPN access services on Cisco Secure Firewall devices. These attacks are particularly effective against weak password policies, as attackers use a small set of commonly used passwords for numerous usernames.