Hackers target Check Point Software customers through old, local VPN accounts
Attack Brief
Check Point Software Technologies has alerted its customers that malicious actors are attempting to hack a limited number of old VPN local accounts using password-only authentication methods, according to a blog post released on Monday. The company has been monitoring these unauthorized access attempts following months of high-profile attacks in the U.S. and elsewhere, where threat groups targeted remote access VPN environments.
Check Point reported that it has assembled a team of incident response, product, and technical service experts, identifying a few other customers targeted by similar methods. As of Friday, a total of three attempts have been identified globally. The company continues to investigate and will provide updates as additional information becomes available.
Insight
The attacks on Check Point customers follow months of threat activity targeting organizations that use VPN devices for secure remote access.
State-linked threat groups have exploited critical vulnerabilities in edge devices, targeting numerous vendors in their attacks on organizations.
Recently, vendors like Cisco and Ivanti have been targeted by hackers exploiting vulnerable edge devices.
Volt Typhoon, a threat group linked to the People’s Republic of China, has also been associated with extensive targeting of critical infrastructure in the U.S.
Check Point Software’s Chief of Staff, Gil Messing, stated that the company sent a letter to customers last week regarding the attacks and will provide additional updates as more information becomes available.
“Old, unused accounts with password-only authentication are a poor cyber hygiene practice,” Messing noted.
The company has released a hotfix for customers to download and block this type of activity.
While Check Point declined to specify the locations of the affected customers, they confirmed that government cybersecurity authorities have been notified about the incidents.