Update, 30/05, 9:41 am, Laura Herijgers: Hackers have been breaching Check Point’s Remote Access VPN technology since at least April 30. This allows them to steal Active Directory data.
The cybersecurity company mnemonic states this finding with customer reports. “It is known that password hashes of legacy local users deploying password-only authentication can be stolen, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further exploitation and possible lateral movement within the network.”
Original, 28/05, 3u21 pm, Floris Hulshoff Pol: Cybercriminals are targeting the Remote Access VPN technology that Check Point integrates into all of its network firewalls. They use intrusion attempts using old, insecure password-only authentication.
In an alert, Check Point discloses details. The VPN technology can be configured as a client-to-site VPN connection, providing secure access to corporate networks via VPN clients. It also allows a secure connection to be set up as an SSL VPN Portal for access over the (public) Internet.
However, cybercriminals try to penetrate the underlying networks by logging in with old local accounts that use insecure password-only authentication. Normally, this form of authentication must be combined with a certificate to prevent system breaches.
These are three breach attempts that were recently discovered to follow the same pattern. In any case, these attempts were enough to perform an analysis and determine the cause.
Check Point’s advice
Check Point advises users of its network firewalls to check their systems carefully for the existence of such old local accounts that could potentially be abused. These include the Check Point Quantum Security Gateway and CloudGuard Network Security solutions and the Mobile Access and Remote Access VPN software blades.
It also recommends converting user authentication protocols to more secure options or removing vulnerable local accounts from the proprietary Security Management Server database.
Furthermore, a hotfix has also been released that blocks all local accounts from logging in only with a password. After installing this fix, local accounts with weak password-only authentication can no longer log into the Remote Access VPN feature.
Other VPN environments also under attack
Check Point’s VPN technology is not the only one under fire from hackers. Earlier, Cisco also noted that VPN devices are being targeted by hacking attempts.
In addition, VPN and SSH services and devices from vendors such as SonicWall, Fortinet, and Ubiquiti are being besieged with brute-force attacks to steal login credentials.
Also read: Cisco firewalls exploited by state-sponsored hackers