Iran-Linked Hackers Are Scanning for Vulnerable Network Security Devices

Iranian cyber actors have been actively scanning for Check Point Security Gateways — important network devices that protect company computer systems — according to a security warning published by CISA (a U.S. government cybersecurity agency) in August 2024. The scanning activity, observed in July 2024, is a typical first step before hackers attempt to break into vulnerable devices.

What Happened

The attackers were searching through internet addresses to find Check Point Security Gateways and determine which ones might be vulnerable to hacking. Think of it like someone walking down a street trying car door handles — the scanner is looking for devices that are exposed and accessible on the internet.

Check Point Security Gateways are crucial devices in most large organizations. They act as gatekeepers for company networks, controlling who and what can enter or leave. They handle remote worker VPN connections, enforce security rules, and monitor traffic going in and out of the network.

The scanning activity has been tied to cyber actors operating from Iran with connections to the Iranian government. This matters because Iran has a track record of targeting critical infrastructure, government networks, and defense-related companies in North America, Europe, and the Middle East.

Why This Matters

Check Point Security Gateways have known security flaws that hackers know how to exploit. The scanning activity is the preparation stage — attackers first find vulnerable devices, then attempt to break in. For organizations managing these devices, the window to fix the problem is closing. Devices reachable on the internet through standard security management ports — typically TCP 443, 4433, or 8443 — are the main targets.

Any organization running unpatched versions of Check Point gateways, or those with management interfaces accidentally exposed to the public internet, faces the highest risk. Companies in energy, defense, finance, and government sectors have historically been targeted by Iranian hackers, but the scanning itself is indiscriminate — it sweeps broadly across all reachable devices, not just specific targets.

What Organizations Should Do

If your organization uses Check Point Security Gateways, the priority is reducing how many can be reached from the public internet. Management interfaces should not be directly accessible; if remote access is needed, it should go through a restricted channel or a secure jump host. VPN portals have to be reachable to function, so keeping the software patched and up to date becomes even more critical.

Security teams can detect this type of scanning activity by looking for unusual patterns in network logs — sudden bursts of connection attempts from unfamiliar sources or attempts to reach non-standard ports. CISA provides lists of known Iranian hacker infrastructure that can be added to security monitoring tools to help spot suspicious activity.

Organizations using backup or redundant gateway configurations need to treat all of them as potentially exposed. Patches need to be carefully applied in a way that keeps services running, but the complexity of maintaining uptime should not delay updates.

The broader context here: Security agencies typically report on hacking campaigns weeks or months after they start. In this case, the activity was spotted in July and reported in August — relatively quick — but defenders should not assume the scanning stopped once the warning was published. These campaigns typically continue until hackers either successfully break in, companies patch their systems, or hackers move on to other approaches.

The Bigger Picture

This pattern of organized scanning for weaknesses is not new. In the mid-1990s, as the internet began to grow, attackers used automated tools to scan randomly for vulnerable computers. The difference now is the sophistication of the attackers. Government-backed hackers do not scan randomly; they scan because they have working exploit code ready to deploy and need to find suitable targets. That takes planning, resources, and intent.

Network security devices like these gateways are valuable targets because compromising one gives attackers a powerful foothold. They sit at the boundary between your company network and the outside world, which means they can see internal traffic, intercept login credentials from remote workers, and in some cases, modify access rules. Breaking into a gateway is far more damaging than breaking into a single computer.

What to Watch

Check Point is actively monitoring exploitation attempts against its products and publishing security guidance — including updates available on its website. Organizations should treat those updates as urgent signals and integrate them directly into their security maintenance processes, not as a monthly checklist item.

For the security community overall, the takeaway is clear: network security appliances — the devices that sit at your network perimeter protecting everything inside — have become the front door that sophisticated attackers target first. These devices are often harder to update quickly than regular computers, and they are implicitly trusted by the networks they protect. Closing that gap between exposure and repair is one of the most important things any organization can do to protect itself right now.