An alarming escalation of attacks exploits the vulnerability CVE-2024-24919, which affects Check Point security gateways. This leak, classified as ‘serious’, allows attackers to extract sensitive information from devices connected to the Internet and enabled with VPN Remote Access or Mobile Access Software Blade.
Leaked information indicates that multiple malicious actors, including Initial Access Brokers (IAB), are actively exploiting the vulnerability to compromise vulnerable systems. IAB are cybercriminals who specialise in obtaining initial access to target networks, which they subsequently sell to other groups for further malicious activities.
High risk: destructive consequences for companies
The potential impact of this vulnerability is substantial. An attacker who gains access to a compromised Check Point gateway can:
- Stealing sensitive information: user credentials and other confidential information can be exfiltrated from the device.
- Compromising the internal network: the attacker can use VPN access as a launching pad to move laterally within the network and compromise other systems.
- Impacting business: stealing data and in the case of ransomware groups, encrypting the entire infrastructure.
Threat Intelligence activities
According to Cyberoo analysts, who conducted an in-depth scan of the network as of 30 May for Check Point devices vulnerable to CVE-2024-24919, around 70 per cent of Check Point devices in Italy were exposed to the flaw.
This finding is extremely worrying, as it highlights the large number of devices that have not yet been updated with the hotfix released by Check Point to resolve the vulnerability.
Exploitation of vulnerability CVE-2024-24919 to gain VPN access
Malicious attackers exploit CVE-2024-24919 to retrieve the MD5 hash of local users on compromised Check Point firewalls (present in the /etc/shadow file). Through cracking techniques that exploit the computing power of multiple GPUs (nvidia GPUs), it is possible, with sufficient time and computing resources, to decrypt the hash and obtain the local user’s unencrypted password.
If the local user in question has VPN access privileges, the malicious actor can exploit this credential to gain access to the corporate network, with potentially devastating consequences.
In the days just after (1-4 June), on some forums and black markets, several users started sharing information and selling stolen credentials.
Figure 1 – Conversation between users in a well-known criminal forum
Figure 2 – Trend of scans detected by greynoise
From the two figures above, we can see the coincidence between forum conversations on the dark web and the start of massive scanning activities by hundreds of IPs.
According to Cyberoo’s analysis, as early as 29 May some individuals started scanning the network for vulnerable devices.
Already in the early hours, Cyberoo promptly warned its customers and is actively monitoring the situation.
Conclusion and advice
Update immediately to protect yourself
Check Point released a hotfix to fix vulnerability CVE-2024-24919. It is essential to install this update as soon as possible to mitigate the risk of attacks.
Cyberoo recommends resetting the passwords of all local credentials and resetting the password of the ldap user account used by the firewall for authentication to active directories.
It is worth emphasising the importance of NOT using domain admin users for ldap binding and of activating MFA for SSL VPN connections.
Last but not least, if not strictly necessary, it is recommended to disable SSL functionality on firewalls, considering that in recent years practically all firewall manufacturers have been impacted by critical vulnerabilities concerning this service.
The importance of keeping equipment up-to-date
This incident underlines the importance of keeping all software and firmware of network devices up-to-date as soon as the manufacturer makes a security patch available. Unpatched vulnerabilities are a breeding ground for cyber attacks, with potentially devastating consequences for businesses.
In addition to installing security updates, organisations should implement additional security measures, such as:
- Regular vulnerability scans: use dedicated tools to identify and correct vulnerabilities on your systems.
- Network segmentation: divide the network into distinct segments to limit the impact of a compromised attack.
- Access control: implement strict controls for access to systems and network resources.
- Cybersecurity training: educating employees on cyber risks and best practices to protect themselves from online threats.
- Real-time monitoring: applying patches and updates is not enough, you have to actively monitor logs and telemetry to understand if something suspicious is happening within your perimeter.
Taking these proactive measures can help significantly reduce the risk of cyber attacks and protect corporate information.
