WaterISAC is sharing this recent threat actor behavior for member awareness. Threat actors have been identified targeting VPN solutions from various cybersecurity vendors for initial access into enterprise networks. Cybersecurity firm Check Point has monitored such login attempts where attackers leveraged old VPN local accounts with password-only authentication and don’t appear to involve exploitation of a software vulnerability.

Utilities utilizing VPN solutions are advised to review the use of local accounts and disable them if not needed. If local accounts are needed, authentication should be made more secure by adding an additional layer of authentication, such as multi-factor authentication (MFA) and certificates. It is important to not rely on password-only authentication.

Check Point offers the following guidance to help enhance VPN security posture:

• Check if you have local accounts, if they were used and by whom.
• If you don’t use them – best to disable them.
• If you have local accounts which you want to use and are password-only authenticated, add another layer of authentication (like certificates) to increase your environment’s IT security.

Check Point has also provided some general recommendations to help organizations with their VPN security posture and outlined instructions for investigating suspicious activity. For more information on the observed threat, access Check Point and SecurityWeek.