Check Point researchers have recently noticed an increase in threat actor groups focusing on remote-access VPN environments as a key entryway to infiltrate enterprise networks. This alarming trend has prompted the cybersecurity company to take swift action in monitoring and mitigating unauthorized access attempts on their VPNs.
Initially, on May 24, Check Point detected a handful of login attempts utilizing outdated VPN local accounts that solely relied on a password-based authentication method. This prompted the company to assemble specialized teams consisting of Incident Response, Research, Technical Services, and Products experts to conduct a thorough investigation into these incidents and any potential associated breaches.
Within a mere 24 hours, these diligent teams were able to identify several customers who had experienced similar unauthorized access attempts and promptly notified them about the situation. The teams highlighted the vulnerabilities associated with password-only authentication methods, emphasizing the heightened risk of network infrastructure compromise when relying solely on passwords for authentication.
To combat these security threats, the teams recommended several proactive measures, including reviewing and deactivating unused local accounts, implementing multi-factor authentication for password-only accounts, deploying additional security solutions on Security Gateways to automatically block unauthorized access, and reaching out to Check Point’s technical support team or local representatives for further guidance and assistance.
In the event of suspected unauthorized access attempts, organizations are advised to thoroughly analyze all remote access connections of local accounts using password-only authentication, monitor connection logs from the past three months, and verify user details, time stamps, source IP addresses, client names, OS information, and applications based on configured users and business requirements.
Furthermore, Check Point has introduced a hotfix to prevent users with password-only authentication from connecting to Security Gateways, thereby enhancing the security posture of their VPN environment. This crucial step aims to thwart any potential cyber threats targeting vulnerable authentication methods.
For enterprises looking to fortify their VPN security, Check Point has released a script named VPNcheck_v2.zip, designed to identify potential risks of compromise within their VPN environments. By following the specified steps on the solution page, organizations can take proactive measures to safeguard their networks from unauthorized access attempts.
Additionally, the Security Gateway Hotfix, which includes the new command blockSFAInternalUsers, allows administrators to block or grant access to internal users with password-only authentication. After deploying the hotfix, any attempts to connect using weak password-only authentication will trigger a security log indicating a failed attempt, providing real-time insights into potential security breaches.
As online threats continue to escalate, organizations must prioritize the adoption of robust VPN authentication methods and remain vigilant against unauthorized access attempts. Neglecting to reinforce security measures could result in compromised network infrastructure, data breaches, and severe financial and reputational repercussions.
In conclusion, the proactive steps taken by Check Point to address unauthorized access attempts on their VPNs serve as a stark reminder of the evolving cybersecurity landscape and the importance of fortifying network defenses against malicious actors. By staying one step ahead of potential threats and implementing stringent security protocols, organizations can mitigate risks and safeguard their valuable assets from cyber intrusions.