Check Point has warned customers of ongoing campaigns by threat actors to target its Remote Access VPN devices. In its latest advisory, the firm warned that it had observed cybercriminals mounting several campaigns in recent months to gain access to customers’ networks via its VPNs. The most concerning, it said, used password-based authentication methods to try and gain unauthorised access.
“Attackers are motivated to gain access to organisations over remote-access setups so they can try to discover relevant enterprise assets and users, [looking] for vulnerabilities in order to gain persistence on key enterprise assets,” said the firm. “By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.”
Check Point warns against relying solely on passwords
Using passwords in isolation to secure enterprise networks is generally frowned upon by most IT security experts, a point that Check Point reinforced in its advisory. Additionally, it recommended all customers check if they have local accounts and consult when they were accessed “and by whom.” If they are not used regularly, it added, local accounts should be deleted. Those that are, meanwhile, should be secured using additional layers of authentication and a new solution released by Check Point to address unauthorised access attempts.
For those customers that had been impacted by threat actors targeting Check Point VPNs, said the firm, it “assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly exploited those and any other potential related attempts.” It was this effort, said Check Point, which led to the identification of a handful of other affected customers.
VPNs vulnerable to exploitation
VPNs are proving increasingly attractive targets for threat actors. According to Zscaler’s 2024 TheatLabz VPN Risk Report, some 56% of organisations said theirs had been targeted by cybercriminals, with another 78% saying that they planned to implement zero trust strategies in the next year. The top threats arising from the successful exploitation of VPNs, the cybersecurity firm continued, were ransomware, malicious infections and DDoS attacks.
“Over the past year, numerous critical VPN vulnerabilities have served as successful entry points for attacks on large enterprises and federal entities,” said Deepen Desai, CSO at Zscaler. “It is essential to transition to a Zero Trust architecture, which significantly reduces the attack surface by eliminating legacy technologies like VPNs and Firewalls, enforces consistent security controls with TLS inspection, and limits the blast radius with segmentation & deception, thereby preventing damaging breaches.”
Read more: Zscaler calls investigators in amid breach speculation
