Threat actors have been exploiting a high-severity Check Point Remote Access VPN zero-day since at least April 30, stealing Active Directory data needed to move laterally through the victims' networks in successful attacks.
Check Point warned customers on Monday that attackers are targeting their security gateways using old VPN local accounts with insecure password-only authentication.
The company subsequently discovered the hackers were exploiting an information disclosure flaw (tracked as CVE-2024-24919) in these attacks and released hotfixes to help customers block exploitation attempts against vulnerable CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.
"The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled," Check Point explained in an update to the initial advisory.
"The attempts we've seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication."
After applying the hotfix released today, all login attempts using weak credentials and authentication methods will be blocked automatically and logged. Check Point also provides additional information about CVE-2024-24919 and hotfix installation instructions in this support document.
Exploited in attacks since April
While Check Point shared that the attacks targeting CVE-2024-24919 as a zero-day started around May 24, cybersecurity company Mnemonic warned today that it observed exploitation attempts in some of its customer environments since April 30.
The company added that the vulnerability is "particularly critical" because it's easy to exploit remotely since it doesn't require user interaction or any privileges on attacked Check Point security gateways with Remote Access VPN and Mobile Access enabled.
"The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown," Mnemonic warned.
"However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network."
Threat actors have been observed extracting ntds.dit, a database that stores Active Directory data on users, groups, security descriptors, and password hashes, from compromised customers within 2-3 hours of logging in with a local user.
The vulnerability has also been exploited to extract information which allowed the attackers to move laterally within the victim's network and misuse Visual Studio Code to tunnel malicious traffic.
Mnemonic advises Check Point customers to immediately update the affected systems to the patched version and remove any local users on vulnerable security gateways.
Admins are also recommended to rotate passwords/accounts for LDAP connections from the gateway to Active Directory, conduct post-patch searches in logs for signs of compromise, such as anomalous behavior and suspicious logins, and, if available, update the Check Point IPS signature to detect exploitation attempts.