Check Point confirms VPN services targeted by hackers

Hackers are trying to wiggle their way into corporate networks through poorly protected Check Point Remote Access VPN devices, the company has confirmed in a security advisory.

Check Point Remote Access VPN software allows for secure remote access to corporate networks. Employees and authorized users can connect to their organization’s network securely over the internet, accessing internal resources, applications, and data, from different devices such as smartphones or laptops, in the same way as if they were physically within the corporate network.

All Check Point network firewalls come with Remote Access, which can be configured as a client-to-site VPN, or set up as an SSL VPN Portal.

Understanding the trend

Now, hackers are going after old accounts that are only protected with passwords, to try and get easy access. While, luckily, there haven’t been too many attempts so far, they do represent a trend that needs to be cut short, the researchers said. Also luckily, the remedy is quite simple to implement.

“We have recently witnessed compromised VPN solutions, including various cyber security vendors,” the company’s security advisory noted. “In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.”

“We’ve seen 3 such attempts, and later when we further analyzed it with the special teams we assembled, we saw what we believe are potentially the same pattern (around the same number). So – a few attempts globally all in all but enough to understand a trend and especially- a quite straightforward way to ensure it’s unsuccessful,” a Check Point spokesperson told BleepingComputer.

Organizations looking to remain secure should check for vulnerable accounts on Quantum Security Gateway and CloudGuard Network Security products and on Mobile Access and Remote Access VPN software blades. T

hey should also change user authentication methods to something more secure, or alternatively – delete vulnerable local accounts from the Security Management Server database.