Check Point Issues Warning About Attacks Targeting VPNs for Initial Access
Check Point issued a warning on Monday that hackers are actively targeting VPN solutions with weak security settings to gain initial access to enterprise networks and urged organizations that use VPN solutions for remote access to check their configurations and take steps to harden security. Check Point explained that it has observed an increase in malicious actors targeting multiple VPN products, including its own, for initial access over the past few months. The new attack trend prompted Check Point to begin monitoring attempts by malicious actors to gain unauthorized access to the VPNs of Check Point customers, and as of May 24, 2024, Check Point had identified a small number of login attempts to Check Point Remote Access VPN devices.
The attacks involved using old VPN local accounts that relied on an unrecommended password-only authentication method. Password-only authentication is not recommended as there is nothing to stop compromised credentials from granting access and there is insufficient protection against brute force attempts to guess weak passwords. Check Point investigated the login attempts on Check Point Network Security gateways further and identified the root cause. A hotfix has now been made available to address the vulnerability, which is tracked as CVE-2024-24919.
“The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled,” explained Check Point in the alert. “The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” Check Point has advised all customers to apply the hotfix which will block all local accounts from authenticating with just a password.
Check Point said its initial monitoring identified three attempts to compromise its VPNs, and further analyses by its assembled security teams found a potentially recurring pattern involving a similar number. While there have just been a few attempts to exploit weak configurations, it was enough to recognize a trend and develop a straightforward way to ensure that those attempts are unsuccessful.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition to exploiting VPNs, there have been increasing numbers of attempts to exploit other edge devices, including firewalls with remote access protocols, including Check Point Firewalls. Check Point Firewalls have integrated remote access that can be configured as a client-to-site VPN for access to corporate networks via VPN clients, or alternatively as an SSL VPN Portal for web-based access. Until the hotfix can be applied, Check Point recommends checking for local accounts, whether they have been used and by whom, and if they are not being used to disable them. If any local accounts are being used and they are only protected with password-only authentication, another level of authentication should be added, such as certificates.
Evidence is growing that threat actors are actively targeting a range of edge devices for initial access, including state-sponsored hackers and cybercriminal groups. Last month Cisco issued a warning about a campaign targeting its firewall appliances that attempted to install malware and exfiltrate data. Cisco also warned about password spraying attacks to gain access to remote access VPN and SSH services, and brute force attacks on Cisco, Check Point, Fortinet, Ubiquiti, and SonicWall devices. Those attempts have recently been linked with a malware botnet dubbed Brutus, which uses a network of around 20,000 compromised devices to conduct brute force attacks, using one IP to attempt around 6 attempts before switching to a new IP and repeating the process.
