In a recent advisory, Check Point Software Technologies have highlighted a significant ongoing threat targeting enterprise network through remote access VPN devices. This development reflects a growing trend where malicious groups exploit remote-access VPN environments as entry points into corporate infrastructure.
Check Point’s remote access VPN, integral to all its network firewalls, provides secure access to corporate networks via VPN clients or web server-based SSL VPN portals. However, attackers are currently focusing on security gateways with outdated local accounts that rely solely on password authentication, which is considered insecure without additional layer of certificate authentication.
As of May 2024, Check Point identified several login attempts using old VPN local accounts with password only authentication. These attempts, though initially limited, are part of our broader global trend that showcases a straightforward method for unauthorized access. A spokesperson from Check Point revealed three initial attempts, with further analysis indicating a similar pattern in other cases, highlighting the need for enhanced security measures.
To counter these attacks, Check Point have issued several key recommendations for its cudtomers:
- Check for Vulnerable Accounts
- Disable Unused Accounts
- Enhance authentication Methods
- Deploy Security Gateway Hotfix
This issue is not unique to Check Point. In April 2024, Cisco warned of widespread credential brute-force attacks targeting VPN and SSH services across multiple vendors including Check Point, SonicWall, Fortinet and Ubiquiti. These attacks, originating from TOR exit nodes and other anonymization tools, have been ongoing since March 18, 2024. Cisco also reported that password-spraying attacks were linked to the “Brutus” malware botnet, which controls over 20,000 IP addresses across cloud services and residential networks. Additionally, the UAT4356 state-backed hacking group has been exploiting zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls to breach government networks globally since November 2023.
The surge in attacks on VPN services underscores the critical need for robust security measures. Check Point’s proactive steps, including the release of a hotfix and detailed recommendations for enhancing VPN security, aim to mitigate the risks posed by these sophisticated cyber threats. Enterprises are urged to follow these guidelines diligently to protect their networks from unauthorized access and potential breaches.