Check Point VPN zero-day exploited since beginning of April (CVE-2024-24919)
Attackers have been exploiting CVE-2024-24919, a zero-day vulnerability in Check Point Security Gateways, to pinpoint and extract password hashes for local accounts, which they then used to move laterally in the target organizations’ network.
“The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely,” IT security service provider Mnemonic noted, and shared that they have observed several attacks that included CVE-2024-24919 exploitation.
About CVE-2024-24919
The existence and in-the-wild exploitation of the flaw was revealed by Check Point on Tuesday, a day after they warned that about discovered instances of attackers making login attempts “using old VPN local-accounts relying on unrecommended password-only authentication method.”
The company said that at the root of these attempts was exploitation of CVE-2024-24919, a zero-day that allowed attackers to “read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled.”
Mnemonic and Watchtowr Labs researchers followed up by revealing more about the vulnerability and the attacks.
It turns out that CVE-2024-24919 is a path traversal vulnerability that can lead to attackers reading ANY file on the system, but attackers have been using it to extract login credentials for local accounts (including service accounts used to connect to Active Directory).
According to Check Point, the vulnerability affected all Check Point Security Gateways that had either the Mobile Access Software Blade blade or the IPsec VPN Blade enabled (but ONLY when included in the Remote Access VPN community).
Zero-day exploitation
Mnemonic has observed attempts of exploitation in customer environments since April 30, 2024. Check Point says that “further investigation revealed that the first exploitation attempts started on April 7, 2024”, and that they “are actively investigating further.”
“We have observed threat actors extracting ntds.dit [the primary database file in Microsoft’s Active Directory Domain Services] from compromised customers within 2-3 hours after logging in with a local user,” Mnemonic shared.
The attackers – potentially an initial access broker – covertly exfiltrated this database by misusing Visual Studio Code for traffic tunneling.
Check Point has released hotfixes for the various affected Secure Gateway appliances and has advised customers to implement them as soon as possible. They’ve also outlined a series of extra measures organizations can take to increase the security of the Check Point gateways in use.
They should also check whether they have been targeted by the attackers.
Mnemonic has shared a few IP addresses from which attackers performed reconnaissance and exploitation, and Check Point has a more extensive list. Rapid7 researchers have advised checking successful web administration panel and SSH logins performed in that specific period.
If evidence of compromise is unearthed, a deeper investigation and remediation will be required.
The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog.
UPDATE (June 5, 2024, 04:25 a.m. ET):
Greynoise has set up a tag keeping track of exploitation attempts.
The first exploit attempts were unsuccessful.
“The first real exploitation we observed began on the morning of May 31, around 9:40am UTC, when a New York-based IP address, 45.88.91.78, took a break from searching for CISCO ASA appliances and started launching exploits for this issue with a payload that would appear to actually work (and, in fact, is suspiciously identical to watchTowr’s PoC), the company says.
“Around that same time, a chorus of different scanners emerged that used a bunch of different paths. Due to the nature of the vulnerability, it’s very hard to determine the actual intent of the attacker – all we know is which file they’re trying to fetch. Whether they’re using that to steal passwords or to test the vulnerability is hard to know.”