Exploitation of a zero-day vulnerability in Check Point Security Gateways has been causing significant security concerns as attackers target organizations to extract password hashes for local accounts. The vulnerability known as CVE-2024-24919 has been actively exploited by threat actors to gain access to sensitive information and move laterally within the network.
According to IT security service provider Mnemonic, CVE-2024-24919 poses a critical threat as it can be exploited remotely without requiring any user interaction or privileges. Several attacks have been observed targeting this vulnerability, leading to the extraction of password hashes and compromising the security of the affected organizations.
Check Point disclosed the existence of the vulnerability and its exploitation in the wild, following reports of attackers attempting login using outdated VPN local accounts with weak password-only authentication methods. The zero-day flaw allows attackers to access certain information on Internet-connected Gateways with remote access VPN or mobile access enabled, providing them with a pathway to move deeper into the network.
Further analysis by Mnemonic and Watchtowr Labs researchers revealed that the CVE-2024-24919 vulnerability is a path traversal flaw that enables attackers to read any file on the system. However, attackers have primarily focused on extracting login credentials for local accounts, including service accounts used to connect to Active Directory, escalating the severity of the security breach.
Check Point confirmed that the vulnerability affects all Check Point Security Gateways with the Mobile Access Software Blade or IPsec VPN Blade enabled, specifically when included in the Remote Access VPN community. The company has released hotfixes for affected Secure Gateway appliances and advised customers to implement them promptly to mitigate the risk of exploitation.
Mnemonic reported instances of attackers extracting the primary database file in Microsoft’s Active Directory Domain Services within hours of compromising customer systems using Visual Studio Code for traffic tunneling. This covert exfiltration of sensitive data highlights the sophistication of the attackers and the urgent need for organizations to strengthen their security measures.
In response to the escalating threat, Check Point has recommended additional security measures for organizations using their gateways and encouraged customers to check for signs of compromise. Mnemonic has identified specific IP addresses used by attackers for reconnaissance and exploitation, urging organizations to remain vigilant and proactive in their cybersecurity efforts.
The seriousness of the CVE-2024-24919 vulnerability has led to its inclusion in CISA’s Known Exploited Vulnerabilities catalog, underscoring the urgent need for affected organizations to assess and address their security posture. As the investigation into the exploitation continues, organizations are advised to prioritize the deployment of hotfixes and conduct thorough assessments to detect and remediate any compromises.
The swift response from security researchers and vendors underscores the collaborative effort to thwart malicious actors and safeguard critical infrastructure from cyber threats. By staying informed and proactive in implementing security measures, organizations can defend against evolving threats and protect their sensitive data from unauthorized access.