Threat actors are targeting Check Point Remote Access VPN devices in an ongoing campaign to breach enterprise networks, the company has warned in a new advisory.
In the advisory, Check Point says the attackers are targeting security gateways with old local accounts using insecure password-only authentication, which should be used with certificate authentication to prevent breaches.
"We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point's customers. By May 24, 2024, we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method," the company said.
To defend against these ongoing attacks, Check Point warned customers to check for such vulnerable accounts on Quantum Security Gateway and CloudGuard Network Security products and on Mobile Access and Remote Access VPN software blades.
Check Point has advised organizations to review the use of local accounts and disable them if not needed. If they are needed, authentication should be made more secure, for instance, by adding an additional layer of authentication on top of passwords, such as certificates.
A few cybersecurity vendor representatives offered their perspective on the news.
Jason Soroko, Senior Vice President of Product at Sectigo, said:
"The advisory going out to Check Point customers is an important one. Switching from weak authentication to stronger authentication has multiple benefits. Username and password authentication is below the threshold of basic security, especially when much stronger forms of authentication are available. In addition to being insecure and inefficient, passwords are becoming increasingly inappropriate for many modern enterprise use-cases. Many of today's enterprise applications already actively support modern alternatives to passwords, by offering certificate-based authentication as the defacto technology to replace passwords for humans and machines."
"We recommend using certificate-based authentication, which leverages digital certificates to successfully authenticate and secure human and machine identities, ahead of granting access to the enterprise network. With certificate-based authentication, enterprises can ensure human and machine identities requesting access to the network are legitimate. Whether an enterprise is focused on implementing modern security architectures, or if the intention is to save costs by reducing spending on password resets and employee password education, a certificate-based authentication approach will help lead to a passwordless future."
Patrick Tiquet, Vice President, Security & Architecture, at Keeper Security, said:
"The warning from Check Point is a reminder that threat actors are continually evolving their tactics, highlighting the critical need for enterprises to proactively defend themselves against cyber threats. Attackers exploiting old, insecure local accounts is a reminder that security is an ongoing process, and enterprises must continually update their authentication methods to ensure they are in line with the latest best practices. Reliance on password-only authentication is a glaring vulnerability that can be easily exploited. Enterprises must adopt a layered security approach that includes strong authentication methods, regular security assessments, and timely application of security patches."
Venky Raju, Field CTO at ColorTokens, said:
"This is a stark reminder for organizations to make urgent plans to shift from legacy VPNs to Zero Trust Network Access (ZTNA) solutions. A few weeks ago, Ivanti's VPN was in the crosshairs of adversaries, and the United States Cybersecurity and Infrastructure Security Agency (CISA) issued several advisories on this topic. ZTNA solutions have several advantages over VPNs, chief of which is that ZTNA inherently limits what the end-user can access using the principles of least privilege. Also, ZTNA solutions have better integration with the enterprise's identity management system, reducing the risk of compromised passwords or misconfigurations."
Tiquet provided additional commentary: "Whether a breach occurs through phishing, weak passwords, brute-force password attacks, or other means, strengthening authentication mechanisms and reviewing access controls are equally important priorities. When possible, multi-factor authentication (MFA) should be enabled to help protect against phishing and brute force, among other cyberattacks."