Techno, Intuisi Blog – Attackers have targeted Check Point Remote Access VPN servers as part of a continuing attempt to hack into enterprises’ networks, the firm cautioned in a warning issued on Monday.
Remote Access integrates to the majority of Check Point network firewalls. Remote Access can be set up as a site-to-client VPN that allows access to corporate networks using VPN clients, or configured to function as an SSL VPN portal to allow web-based access.
Check Point Software VPN
Check Point says the attackers attack security gateways using outdated local accounts, using unsecure password-only authentication. This is recommended to use along with certificate authentication to protect against attacks.
“We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method,” the company stated.
“We’ve seen 3 such attempts, and later when we further analysed it with the special teams we assembled, we saw what we believe are potentially the same pattern (around the same number). So – a few attempts globally all in all but enough to understand a trend and especially- a quite straightforward way to ensure it’s unsuccessful,” an official from Check Point Check Point told.
In order to protect themselves from these constant attack, Check Point warned customers to search for these weak accounts in Quantum Security Gateway and CloudGuard Network Security products, as well as in Mobile Access and Remote Access VPN blades of software.
The customer is advised to alter the method of authentication used by users for more secure methods (using directions in this help document) or erase account accounts that are vulnerable locally in security management server. Security Management Server database.
The company has also announced the Security Gateway hotfix that blocks any local account from authenticating using a password. Following installation, accounts using inadequate password-only authentication will be blocked from connecting to the VPN Remote Access.
Users can learn more regarding improving their VPN’s security by reading this help article and provides tips on dealing with unauthorized access attempts. “By May 24th,
Cisco VPN devices also heavily targeted
Check Point is the second company to alert it’s VPN devices are hit by ongoing cyberattacks over the last few months.
The month of April was when Cisco was also warned of the widespread use of credential brute forcing attacks that targeted VPN as well as SSH services available on Cisco, Check Point, SonicWall, Fortinet, and Ubiquiti devices.
This campaign was launched on March 18 2024. It was a series of attacks coming via TOR exit nodes, and then using several other tools for anonymization and proxy servers to bypass blockades.
The previous month, Cisco warned about a attack that sprayed passwords which targeted Cisco Secure Firewalls running Remote Access VPN (RAVPN) Services, which could be as part of the first stage reconnaissance.
Researcher Aaron Martin linked the activity to an unknown malware botnet that he named “Brutus,” which controlled more than 20000 IP addresses in the cloud and on residential networks.
The company has also disclosed that the UAT4356 (aka Storm-1849) cyber-attack group that is backed by the government used zero-day flaws that are present in Cisco Adaptive Security Appliance (ASA) as well as Firepower Threat Defense (FTD) firewalls to penetrate the security of government networks around the world from at least the beginning of the month of November in an cyber-espionage operation known by ArcaneDoor.
