In an advisory released on Monday, Check Point alerted enterprises about an ongoing campaign by threat actors to breach corporate networks through Check Point Remote Access VPN devices. Considered an integral part of all Check Point network firewalls, Remote Access VPN can be configured as a client-to-site VPN or an SSL VPN Portal.

The attackers have been specifically targeting security gateways with outdated local accounts that rely solely on password authentication, rather than the more secure certificate authentication. Check Point disclosed that a small number of login attempts had been detected since May 24, 2024, using these vulnerable local accounts.

When asked about the extent of the attacks, a spokesperson from Check Point informed BleepingComputer that they had identified three similar attempts globally, indicating a discernible pattern. Although the number of attempts has been relatively low, the company emphasized the need for precautionary measures to counter the threat effectively.

To defend against these attacks, Check Point advises customers to scrutinize Quantum Security Gateway, CloudGuard Network Security products, Mobile Access VPN, and Remote Access VPN software blades for vulnerable local accounts. Customers are urged to change the user authentication method to stronger options or delete compromised accounts from the Security Management Server database.

Furthermore, Check Point has released a Security Gateway hotfix that prevents local accounts with weak password-only authentication from logging into the Remote Access VPN. This measure aims to enhance the overall security posture of the VPN infrastructure.

It is worth noting that Check Point is the second company to issue a warning about attacks on VPN devices. In April, Cisco also highlighted the prevalence of credential brute-forcing attacks targeting VPN and SSH services across multiple vendors' devices, including Check Point's. The campaign, originating from TOR exit nodes and utilizing anonymization tools and proxies, commenced around March 18, 2024.

In an unrelated incident a month earlier, Cisco revealed a series of password-spraying attacks on their Secure Firewall devices running Remote Access VPN services, which were believed to be part of initial reconnaissance. Renowned security researcher Aaron Martin identified this activity as the work of an unreported botnet called "Brutus," controlling a network of over 20,000 IP addresses.

Adding to the list of recent security concerns, Cisco also disclosed that the UAT4356 (aka STORM-1849) state-backed hacking group had been leveraging zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023. The campaign, named ArcaneDoor, aimed at infiltrating government networks globally for cyber-espionage purposes.

Check Point's advisory underscores the critical need for organizations to remain vigilant and implement robust security measures to protect their network infrastructure. More information on improving VPN security and responding to unauthorized access attempts can be found in the support article provided by Check Point.

Update: May 27, 14:28: EDT: Check Point's statement regarding the ongoing attacks has been added.