Check Point VPN attacks use zero-day exploits since April

The recently reported Check Point VPN attacks include the zero-day vulnerability CVE-2024-24919, which allows hackers to steal passwords.

Threat actors attempted to acquire initial access to enterprise networks using Check Point VPNs by exploiting a zero-day vulnerability, with the attempts appearing to have begun one month ago.

Check Point informed clients earlier this week that it had discovered "a small number" of attempts to remotely obtain access to enterprise networks via logins that used legacy VPN local accounts protected by password-only authentication.

The cybersecurity firm initially released a hotfix to prevent password-only logins, but it made no mention of the vulnerability being exploited.

However, further investigation revealed that the assaults exploited a previously undiscovered information leak vulnerability. The zero-day, identified as CVE-2024-24919, enables hackers to collect information from internet-connected network security gateways with remote access VPN or mobile access enabled.

CVE-2024-24919 has been discovered to affect Check Point Security Gateways with IPsec VPN, Remote Access VPN, or the Mobile Access blade enabled. Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark products are all affected.

Mnemonic, an MDR and threat intelligence service, has reported witnessing attacks leveraging CVE-2024-24919 in its clients' environments since April 30.

According to the business, the vulnerability allows attackers to enumerate and retrieve password hashes from all local accounts.

"The entire scope of the impacts remains unknown. Password hashes of historical local users with password-only authentication, including service accounts used to connect to Active Directory, are known to be extractable. Weak passwords can be compromised, allowing for additional abuse and potential lateral movement within the network," Mnemonic stated.

"The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely," the business stated.

Mnemonic stated that the attacks appear to be related to the behavior revealed earlier this month, which involves the exploitation of Visual Studio Code for traffic tunneling. In those assaults, threat actors leveraged CVE-2024-24919 to collect user information, which was then used to move laterally within the compromised network.

Source: SecurityWeek