Check Point VPN Zero-Day Vulnerability Exploited in Recent Cyber Attacks

May 29, 2024

Threat actors have been capitalizing on a high-severity zero-day vulnerability in Check Point's Remote Access VPN since April 30, gaining access to Active Directory data and enabling lateral movement within the networks of the victims. Check Point alerted its customers on Monday that their security gateways were under attack by threat actors using outdated VPN local accounts, which only required password authentication.

Following this, the company discovered that the attackers were exploiting an information disclosure flaw, identified as CVE-2024-24919. In response, Check Point released hotfixes to protect CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances from potential exploitation. "The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled," said the company in an update to its initial advisory.

After the hotfix was released, all login attempts using weak credentials or authentication methods were automatically blocked and logged. Check Point also provided further details about CVE-2024-24919 and instructions for installing the hotfix in a support document. While Check Point stated that the zero-day attacks targeting CVE-2024-24919 began around May 24, cybersecurity firm mnemonic reported observing exploitation attempts in some of its customer environments as early as April 30.

The vulnerability is deemed especially critical as it can be exploited remotely without user interaction or any privileges on the attacked Check Point security gateways with Remote Access VPN and Mobile Access enabled. "The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown," warned mnemonic.

Threat actors have been seen extracting ntds.dit, a database storing Active Directory data, from compromised customers within 2-3 hours of logging in with a local user. The vulnerability was also exploited to extract information which facilitated lateral movement within the victim's network and misuse of Visual Studio Code to tunnel malicious traffic. To mitigate the threat, mnemonic advised Check Point customers to immediately update their systems to the patched version and remove any local users on vulnerable security gateways. Administrators are also encouraged to change passwords/accounts for LDAP connections from the gateway to Active Directory, check logs for signs of compromise, and update the Check Point IPS signature, if available, to detect exploitation attempts.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.