Threat actors are actively trying to exploit VPN environments that make use of remote access at an accelerated rate, in order to infiltrate and attack enterprise networks, according to cyber security firm Check Point. The company says the intent is to “discover relevant enterprise assets and users, seeking for vulnerabilities in order to gain persistence on key enterprise assets.”
To better understand the situation, Check Point monitored the VPN access of its customers and see if any of these organizations might be affected. It brought together its Incident Response, Research, Technical Services and Products teams to look over the data to investigate for this and other related activities.
The company says that after 24 hours it did observe some customers being potentially impacted, with attempts being made “using old VPN local-accounts relying on unrecommended password-only authentication method.” It seems as if the number of customers was limited, although the report didn’t share any specific numbers and only stated it was a “few potential customers.”
Check Point lays out several ways that organizations can mitigate this issue. The first is to evaluate if there are any local accounts enabled, and to disable them if they are not being used. If a local account is a necessary part of the environment, and it relies on password-based authentication, then organizations are encouraged to add another layer of authentication such as certificates.
Hopefully organizations take notice of the information being shared, and work to ensure that networks are being secured using more than just a simple password.