Malicious Hackers Target Check Point VPNs to Breach Enterprise Networks

Threat actors are targeting Check Point Software Technologies’ remote-access VPN devices in an ongoing campaign to breach enterprise networks.

Gil Messing, Check Point’s chief of staff, tells us at the moment, partners don't need to take any immediate action, “but we will keep them informed as the investigation unfolds.”

“We are working closely with specific customers to address any concerns they may have, but It’s not more than this at this stage,” he said.

Check Point's Gil Messing

Over the past few months, Check Point has seen increased interest from malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises, the vendor wrote in a blog. Attackers are motivated to gain access to organizations over remote-access setups so they can try to discover relevant enterprise assets and users, seeking vulnerabilities in order to gain persistence on key enterprise assets.

Check Point Identifies Login Attempts

“We have recently witnessed compromised VPN solutions, including various cybersecurity vendors,” Check Point said. “In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. By May 24, we identified a small number of login attempts using old VPN local accounts relying on [an] unrecommended password-only authentication method. We have assembled special teams of incident response, research, technical services and products professionals, which thoroughly explored those and any other potential related attempts. Relying on these customers’ notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.”

Password-only authentication is considered an unfavorable method to ensure the highest levels of security, and Check Point recommends not relying on this when logging-in to network infrastructure.

Check Point has released a solution as a preventative measure to address these unauthorized remote access attempts.

"Today, we found the root cause for these and are now releasing a fix," it said. "To remain protected, it is mandatory for customers to install this fix on Check Point Network Security gateways. The vulnerability potentially allows an attacker to read certain information on internet-connected gateways with remote-access VPN or mobile access enabled. The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication. The attempts we’ve seen so far, in line with [Monday's] alert, are focusing on the same scenario with the known small number of customers we referred to [on Monday]."

Check Point’s Advisory ‘Important’

Jason Soroko, senior vice president of product at Sectigo, said the advisory going out to Check Point customers is an important one.

Sectigo's Jason Soroko

“Switching from weak authentication to stronger authentication has multiple benefits,” he said. “Username and password authentication is below the threshold of basic security, especially when much stronger forms of authentication are available. In addition to being insecure and inefficient, passwords are becoming increasingly inappropriate for many modern enterprise use cases. Many of today’s enterprise applications already actively support modern alternatives to passwords by offering certificate-based authentication as the de-facto technology to replace passwords for humans and machines.

Patrick Tiquet, vice president of security and architecture at Keeper Security, said Check Point's advisory is a reminder that threat actors are continually evolving their tactics, highlighting the critical need for enterprises to proactively defend themselves against cyber threats.

“Attackers exploiting old, insecure local accounts is a reminder that security is an ongoing process, and enterprises must continually update their authentication methods to ensure they are in line with the latest best practices,” he said. “Reliance on password-only authentication is a glaring vulnerability that can be easily exploited. Enterprises must adopt a layered security approach that includes strong authentication methods, regular security assessments and timely application of security patches. When possible, multifactor authentication (MFA) should be enabled to help protect against phishing and brute force, among other cyberattacks.”