Updated: May 28, 2024 at 1PM PT
Yesterday (May 27, 2024) we delivered a solution that addresses attempts we saw on a small number of customers’ VPN remote access networks as referenced below.
Today, we found the root cause for these and are now releasing a fix. To remain protected, it is mandatory for customers to install this fix on Check Point Network Security gateways.
The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled. The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication. Within a few hours of this development, Check Point released an easy to implement solution that prevents attempts to exploit this vulnerability. To stay secure, customers should follow these simple instructions to deploy the provided solution.
The attempts we’ve seen so far, in line with yesterday’s alert, are focusing on the same scenario with the known small number of customers we referred to yesterday. We’re working with customers who we believe were affected to remediate the situation. Check Point’s network is not affected by this.
Customer security is our top priority. We will continue to investigate this issue and will provide additional updates on this blog.
Original Post:
Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises.
Attackers are motivated to gain access to organizations over remote-access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities in order to gain persistence on key enterprise assets.
We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers.
By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.
We have assembled special teams of Incident Response, Research, Technical Services and Products professionals which thoroughly explored those and any other potential related attempts. Relying on these customers notifications and Check Point’s analysis, the teams found within 24 hours a few potential customers which were subject to similar attempts.
Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure.
Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts.
We encourage our customers to enhance their VPN security posture by:
- Check if you have local accounts, if they were used and by whom.
- If you don’t use them – best to disable them.
- If you have local accounts which you want to use and are password-only authenticated, add another layer of authentication (like certificates) to increase your environments IT security.
- As said, If you are a Check Point customer, deploy our solution on your Security Gateways. This will automatically prevent unauthorized access to your VPNs by local accounts with password-only authentication method.
Learn more and receive practical guidance for configuration monitoring and practices to enhance your VPN security posture.
For any additional assistance required, please contact Check Point technical support Center or your local Check Point representative.
We value the collaboration of our customers and dedication of our teams to reach a solution which effectively addresses any such attempts.