Threat actors have an ongoing cybercriminal operation that targets the Check Point VPN. Based on reports, the specific target of these hackers is the Remote Access equipment that would allow them to compromise enterprise networks.
Researchers explained that Remote Access is included in every Check Point network firewall. It can be set up as a client-to-site VPN for remote access to corporate networks using VPN clients or as an SSL VPN Portal for web-based access.
The affected entity stated that the attackers are targeting security gateways with old local accounts that employ weak password-only authentication, which should be replaced with certificate authentication to prevent breaches.
In addition, the company explained that it recently spotted compromised VPN solutions, including various cyber security vendors. It also claimed that it has been monitoring attempts to gain unauthorised access to Check Point’s customers’ VPNs.
By May 24, 2024, the company also identified a small number of login attempts using old VPN local accounts relying on the unrecommended password-only authentication method.
There have already been multiple campaigns that exploited the Check Point VPN.
Reports revealed that the company has already seen at least three attempts to exploit the Check Point VPN. However, further analysis revealed that these attacks follow the same pattern; hence, there is a global trend that threat actors use for this specific campaign.
On the other hand, the company advises its clients to look for weak accounts on Quantum Security Gateway, CloudGuard Network Security products, and Mobile Access and Remote Access VPN software blades to counter the ongoing attacks.
Customers should also upgrade their user authentication mechanism to a more secure alternative or delete vulnerable local accounts from the Security Management Server database.
Furthermore, this business has also released a Security Gateway update that allegedly prevents all local accounts from authenticating using a password. After installation, local accounts with weak password-only authentication cannot connect to the Remote Access VPN.
Clients of this exploited software should follow such advice to protect against threat actors. Therefore, being knowledgeable and updated about current trends is necessary to safeguard the digital landscape.