Home / Threat Intelligence bulletins / Enterprise networks breaches through Check Point VPNs

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Remote Access is a module built into all Check Point Firewall appliances. This can be configured in multiple ways to provide VPN connectivity to an organisation with, or without, a VPN client. On 24th May 2024 it was identified by the Check Point team that threat actors have been utilising old local accounts with default password-only authentication to gain a foothold on these devices.

Impact

Threat actors gain unauthorised access to enterprise organisations through remote access setups. They can exfiltrate sensitive information from the organisation leading to financial losses and damage to reputation. Furthermore, malware can be introduced to disrupt operations, steal data, and provide ongoing access to the threat actor.

Targeted Organisations

Due to the opportunistic and indiscriminate targeting, all users relying on Check Point’s VPN solutions are realistically at risk. Threat actors are primarily targeting enterprise networks which rely on the solution, increasing the likelihood that they will be exploited.

Containment, Mitigations & Remediations

It is recommended to harden your VPN security posture with the following:

  • Harden user accounts by implementing password policies, disabling unused local accounts, as well as implementing additional authentication, such as multi-factor authentication (MFA) for all accounts within the Check Point Firewall
  • Deploy the Check Point solution on the Security Gateway to prevent unauthorised access to your VPNs by local accounts automatically
  • Use patch management procedures by applying software updates to address vulnerabilities
  • Utilise a vulnerability management lifecycle to help proactively address vulnerabilities.

Threat Landscape

The recent attacks on Check Point VPNs have been observed across various industries.

Threat Group

Attribution to a threat group has not occurred at the time of this bulletin. However, VPNs are commonly targeted by multiple threat groups as an ingress mechanism to an organisation.

Indicators of Compromise

No indicators of compromise are available currently.

Further Information

Bleeping Computer Article

Check Point FAQ

Check Point Solution

Check Point VPN Exploit