Check Point warns of threat actors targeting VPNs

Check Point Software Technologies warned of attempted attacks against its VPNs by targeting accounts that use passwords as the only means of authentication.

The warning came via a Monday blog post urging readers to improve their VPN security postures. Check Point said it had seen an increase in threat actors leveraging remote access VPN environments to breach enterprise networks. As part of this trend, Check Point said it has "recently witnessed compromised VPN solutions, including various cyber security vendors."

While monitoring for suspicious VPN-related activity against its customers, the company "identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method." These attempts occurred at least through May 24.

"We have assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly explored those and any other potential related attempts," the blog post read. "Relying on these customers notifications and Check Point's analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts."

The company warned against password-only authentication and recommended organizations do not rely on it for logging into network infrastructure. Additionally, Check Point released a hotfix for its Security Gateway products that blocks local accounts using password authentication. This would presumably stop old, unused accounts from being used in attacks like those described in the blog post.

In a list of recommended mitigations, Check Point advised organizations to identify if they have local accounts and review how they have been used, disable local accounts if they are not already in use, and add extra authentication to accounts with password-only protection currently in use.

Check Point chief of staff Gil Messing told TechTarget Editorial in an email that as of May 24, the company had seen three compromise attempts on Check Point customers and that upon further analysis, "we identified what we believe to be a potentially recurring pattern (around the same number)."

"While there have been only a few attempts globally, it's enough to recognize a trend and, more importantly, a straightforward way to ensure it's unsuccessful," Messing said. While he did not confirm whether any breaches were successful, Messing said that at this stage, Check Point is investigating attack attempts and "working closely with specific customers to address any concerns they may have."

Asked about what made this series of attacks noteworthy given how common identity attacks against poor password hygiene are, Messing said Check Point felt any pattern, large or small, was worth calling attention to.

"For us, when we see a clear pattern (in this case, trying to attack local accounts with password-only authentication) -- even if it's small (and it is) -- and we know it can be prevented quite easily, it's enough for us to share the update and offer recommendations and automated solutions to our customers," he said.

High-stakes cyberattacks involving VPNs are unfortunately commonplace. For example, CISA disclosed in March that it experienced a breach via an authentication bypass vulnerability affecting Ivanti Policy Secure network access controllers and a command injection flaw affecting Ivanti Connect Secure VPNs. Meanwhile, cyber insurer Coalition said in a report last month that insurance claims from users of Cisco Adaptive Security Appliance, a product that includes VPN capabilities, spiked in 2023. Coalition's report noted that network edge devices such as VPNs are prime targets for a variety of threat actors.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.