May 30, 2024 at 05:48AM
Check Point VPNs were targeted by threat actors exploiting a zero-day vulnerability, allowing access to enterprise networks through old VPN local accounts. The vulnerability, tracked as CVE-2024-24919, affects certain Check Point Security Gateways and allows hackers to extract password hashes. Mnemonic reported attacks using CVE-2024-24919 in customer environments since April 30.
From the meeting notes, it is clear that threat actors have been targeting Check Point VPNs using a zero-day vulnerability, CVE-2024-24919. This vulnerability allows the extraction of password hashes for local accounts, including service accounts used to connect to Active Directory. These attacks have been ongoing for at least a month and have been observed in the environments of Mnemonic’s customers.
The exploitation of this vulnerability poses serious risks, as it can lead to the compromise of weak passwords and potential lateral movement within the network. Additionally, the attacks do not require user interaction or privileges, making them easy to exploit remotely. Furthermore, the attacks appear to be linked to the misuse of Visual Studio Code for traffic tunneling.
Check Point initially released a hotfix to prevent password-only logins, but it did not specifically address the exploitation of the vulnerability. The impacted products include Check Point Security Gateways with IPsec VPN, Remote Access VPN, or the Mobile Access blade enabled.
It is essential for the enterprise to take immediate action to address this vulnerability and ensure the security of its network and accounts. This may involve applying patches, updating configurations, and strengthening password policies.
The company should also consider the recommendations and warnings provided by Mnemonic regarding the potential consequences and critical nature of the vulnerability. These insights can help in understanding the severity of the situation and planning the necessary mitigation steps.
In addition, monitoring for related attacks and staying informed about security updates from Check Point and other relevant sources is crucial to effectively manage the risks associated with this vulnerability.
It is advisable to promptly communicate this information to the relevant stakeholders and initiate a coordinated response to address the security implications and protect the enterprise network from further exploitation.