Analysis Summary

Threat actors have been using a zero-day vulnerability in Check Point's Network Security gateway devices. The flaw, which is being tracked as CVE-2024-24919 (CVSS score: 7.5), affects Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark appliances, CloudGuard Network, and Quantum Maestro.

An attacker may be able to read specific data from Internet-connected gateways that have a remote access VPN or mobile access enabled due to this vulnerability. The following versions have hotfixes available:

• Quantum Maestro and Quantum Scalable Chassis - R81.20, R81.10, R80.40, R80.30SP, R80.20SP
• Quantum Spark Gateways Version - R81.10.x, R80.20.x, R77.20.x
• Quantum Security Gateway and CloudGuard Network Security Versions - R81.20, R81.10, R81, R80.40

This happened a few days after the cybersecurity firm issued a warning about intrusions that were aimed at using its VPN devices to access corporate networks. This has now been linked to a newly identified high-severity zero-day that was found in Security Gateways that have the Mobile Access software blade, Remote Access VPN, and IPSec VPN installed.

While Check Point did not go into detail about the attacks, it did mention in a frequently asked question that the majority of the exploitation attempts seen thus far have been focused on remote access to outdated local accounts using password-only authentication against a limited number of users.

With similar invasions affecting devices from Barracuda Networks, Cisco, Fortinet, Ivanti, Palo Alto Networks, and VMware in recent years, the targeting of VPN equipment is only the most recent wave of attacks to target network perimeter applications. The company said that attackers are driven to employ remote access configurations to infiltrate organizations in order to try and find pertinent corporate assets and people. They also look for vulnerabilities to establish persistence on important company assets.

According to a cybersecurity company, from April 30, 2024, it has been aware of exploitation efforts employing CVE-2024-24919 that are aimed at its client environments. Because it enables unauthorized actors to retrieve data from internet-connected gateways, the vulnerability is regarded as significant. A threat actor can use this vulnerability to list and retrieve the password hashes of every local account, including the one used to log into Active Directory.

Nevertheless, it is known that password hashes, including service accounts used to connect to Active Directory, can be recovered for legacy local users with password-only authentication. Weak passwords can be compromised, which could result in additional abuse and possible lateral network migration. The vulnerability, according to the company, is both critical and easy to exploit because it doesn't require human input or rights.

According to the evidence gathered thus far, the vulnerability has also been weaponized to extract Active Directory data (NTDS.dit) within two to three hours of a local user logging in. This has allowed unknown actors to move laterally within the network and exploit Visual Studio (VS) Code's remote development extensions to tunnel network traffic to avoid detection.

Impact

• Exposure of Sensitive Data
• Unauthorized Remote Access
• Credential Theft

Indicators of Compromise

CVE

• CVE-2024-24919

Affected Vendors

Remediation

• Refer to the Check Point Website for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.