Attackers are probing Check Point Remote Access VPN devices
Attackers are trying to gain access to Check Point VPN devices via local accounts protected only by passwords, the company has warned on Monday.
Their ultimate goal is to use that access to discover and pivot to other enterprise assets and users, and gain persistence in enterprise environments.
Attacks against VPN and other services
In mid-April 2024, Cisco Talos warned about a global increase in brute-force attacks against VPN services, web application authentication interfaces and SSH services.
The devices targeted in these attacks were those by Cisco, Check Point, Fortinet and Sonicwall (VPNs), as well as by MiktroTik, Draytek, and Ubiquiti.
The attempts were coming from IP addresses associated with proxy services, and were trying out combinations of most likely usernames and common passwords, such as “Passw0rd”, “qwerty”, “test123”, etc.
Utilized usernames fall into one of several categories:
- a-z first name initials + common surnames, e.g., “cwilliams”, “jgarcia”, “msmith”
- Common names like “mary”, “brian”, “leon”, etc.
- Role/service-related words: “test.user”, “superadmin”, “cloud”, “ftpadmin”, “backupuser”, “vpn”, etc.
Check Point now says that they have also recently witnessed compromised VPN solutions, including those by various cyber security vendors.
“In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.”
Attack prevention
The good news here is that these attacks can be easily thwarted, either by:
- Disabling local accounts (if they are not used)
- Adding another layer of authentication (e.g., certificates), or
- Installing a hotfix that blocks internal users from logging into Remote Access VPN with password as the only authentication factor.
“Password-only authentication is considered an unfavorable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure,” Check Point said, and offered additional advice on how to improve their VPN security posture and investigate unauthorized access attempts.