Check Point researchers have observed a surge in threat actor groups targeting remote-access VPN environments as an entry point for gaining access to enterprise networks. In response to these threats, Check Point has been monitoring unauthorized access attempts on Check Point VPNs and has released a preventative solution to address the issue. While the researchers suggested that the issue is broader than Check Point VPNs, the fix applies solely to Check Point environments.

Identification of Unauthorized Access Attempts to Check Point VPN

On May 24, Check Point identified a small number of login attempts using old VPN local accounts that relied on an unrecommended password-only authentication method. The company assembled special teams of Incident Response, Research, Technical Services, and Products professionals to thoroughly investigate these attempts and any other potentially related incidents. Within 24 hours, the teams identified several potential customers who were subject to similar attempts and notified them accordingly. The teams consider password-only authentication methods insecure and more susceptible to the compromise of network infrastructure, recommending against solely relying on these methods when logging into network infrastructure. Several points were advised by the teams as preventative measures, such as:

• Reviewing and disabling unused local accounts.
• Implementing an additional layer of authentication, such as certificates, to password-only accounts.
• Deploying additional solutions on Security Gateways to automatically block unauthorized access.
• Contacting the Check Point technical support team or a local representative for additional guidance and assistance.

In case of suspected unauthorized access attempts, Check Point researchers recommend that organizations analyze all remote access connections of local accounts with password-only authentication, monitor connection logs from the past 3 months, and verify the familiarity of user details, time, source IP address, client name, OS name, and application based on configured users and business needs. Check Point has also released a hotfix to prevent users with password-only authentication from connecting to Security Gateways. After implementation, password-only authentication methods for local accounts will be prevented from logging into the Check Point Remote Access VPN. If any connections or users are not validated, invoking the incident response playbook or contacting Check Point Support or a local Check Point representative is advised. The company stated that it witnessed the compromise of several VPN solutions, including those of various cybersecurity vendors.

Implementing Check Point VPN Hotfix

Check Point released a script to identify potential risks of compromise in its VPN environment. Enterprises can download the VPNcheck_v2.zip archive file and follow the steps mentioned on the solution page. If the script identifies local accounts with password-only authentication, users can proceed with the installation of the Security Gateway Hotfix as an option. The hotfix is available via the Check Point Upgrade Service Engine (CPUSE) or through manual download. The Hotfix implements a new command, blockSFAInternalUsers, to the Security Gateway, allowing admins to block or grant access to internal users with password-only authentication. The default value is set to block internal users from connecting with password-only authentication. After installing the hotfix, users who attempt to connect using the weak password-only authentication method will receive a security log indicating the blocked attempt as failed. As remote operations and online threats rise, organizations must prioritize the implementation of tougher VPN authentication methods while monitoring for unauthorized attempts to access these environments. Failure to do so can lead to compromised network infrastructure or assets, data breaches, and significant financial and reputational damage. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.