Check Point Software Technologies has issued a security advisory warning about threat actors targeting Check Point Remote Access VPN devices in an ongoing campaign to breach enterprise networks.
Description
Hackers are using VPNs as entry points to infiltrate enterprises and exploit vulnerabilities [8], prompting the company to release new security measures to prevent unauthorized access [8]. The company’s Remote Access VPN offers secure remote access to corporate data centers and headquarters [2], encrypting all traffic [2]. Check Point has observed attacks targeting VPNs with outdated local accounts using password-only authentication, emphasizing the security risks associated with this method. Cybercriminals are targeting Check Point VPNs for Windows and macOS customers globally, with compromised VPN solutions and unauthorized access attempts [8]. Malicious groups are using VPNs as an entry point to discover assets and users [7], seeking vulnerabilities for persistence [7]. To address this issue, organizations are advised to review their VPN configurations, disable unused local accounts [3] [6], and implement multi-factor authentication for enhanced security. Additionally, a vulnerability in Check Point Network Security gateways has been discovered [7], allowing attackers to access certain information on internet-connected gateways with remote access VPN or mobile access enabled [3] [7]. Check Point advises customers to check for vulnerable accounts on Quantum Security Gateway and CloudGuard Network Security products [1], as well as Mobile Access and Remote Access VPN software blades [1]. Check Point has released a solution to automatically prevent unauthorized access through local accounts with password-only authentication [4]. Customers are urged to install this fix on their Network Security gateways to mitigate the risk of exploitation. This warning comes after a series of credential brute-force intrusions against various VPN and SSH services [5], including those of Check Point [5], Cisco [5], SonicWall [5], Fortinet [5], and Ubiquiti devices [5]. Check Point recommends preventative measures such as changing authentication methods and deleting unused accounts [2], and has released a Security Gateway Hotfix to enhance product security by blocking local accounts using Check Point passwords as the only authentication factor [2].
Conclusion
Organizations must take immediate action to review and enhance their VPN configurations to prevent unauthorized access and protect sensitive data. Implementing multi-factor authentication and installing security updates are crucial steps to mitigate the risk of exploitation by cybercriminals. The discovery of vulnerabilities in Check Point Network Security gateways highlights the importance of ongoing monitoring and updating of security measures to safeguard against potential threats.
References
[1] https://www.secureworld.io/industry-news/check-point-remote-access-vpn
[2] https://www.techworm.net/2024/05/hacker-check-point-vpn-breach-enterprise-network.html
[3] https://blog.checkpoint.com/security/enhance-your-vpn-security-posture/
[4] https://www.infosecurity-magazine.com/news/check-point-urges-vpn-configuration/
[5] https://www.scmagazine.com/brief/ongoing-enterprise-hacking-campaign-targets-check-point-vpns
[6] https://www.helpnetsecurity.com/2024/05/28/attackers-target-check-point-vpn/
[7] https://siliconangle.com/2024/05/28/check-point-warns-increase-enterprise-attacks-targeting-vulnerable-vpns/
[8] https://www.hackread.com/hackers-target-check-point-vpns-security-fix-released/
