Cybercriminals are targeting the remote access VPN technology that Check Point integrates into all of its network firewalls. They are trying to get in using outdated and insecure password-only authentication.
Check Point provides further details in its warning: VPN technology can be configured as a client-to-site VPN connection, providing secure access to corporate networks via VPN clients, or the secure connection can be set up as an SSL VPN portal for access over the (public) Internet.
However, cybercriminals will attempt to penetrate the underlying network by logging in with old local accounts that use insecure password-only authentication. This form of authentication must usually be combined with a certificate to prevent system compromise.
These are three recent intrusion attempts that we found to follow the same pattern. In any case, these attempts were enough for us to perform an analysis and determine the cause.
Checkpoint advice
Check Point advises users of network firewalls to carefully review their systems for any stale local accounts that could be exploited, including in its Check Point Quantum Security Gateway and CloudGuard Network Security solutions, as well as its Mobile Access and Remote Access VPN software blades.
It is also recommended that you convert your user authentication protocols to more secure options or remove vulnerable local accounts from your own Security Management Server database.
Additionally, a fix has been released that will prevent all local accounts from logging in with only a password. After installing this fix, local accounts with weak password-only authentication will not be able to log in to the remote access VPN feature.
Other VPN environments are also under attack
Check Point's VPN technology isn't the only one under attack by hackers: Cisco has also previously said its VPN devices have been targeted in hacking attacks.
Additionally, VPN and SSH services and devices from vendors such as SonicWall, Fortinet and Ubiquiti are open to brute force attacks to steal login credentials.
Read also: Nation-sponsored hackers exploit Cisco firewalls