What do you need to know about a new actively exploited vulnerability?
Check Point reported that attackers have been actively exploiting a critical vulnerability in the Check Point VPN remote access system since the end of April, which allows them to steal Active Directory data for further distribution within victims ' networks.
On May 27, Check Point warned its customers that attacks targeted their security systems through outdated local VPN accounts with unreliable password-based authentication.
Further investigation revealed that hackers used the disclosure vulnerability CVE-2024-24919 (CVSS score 3.1: 7.5) to carry out attacks. The company has released patches to help customers block attempts to exploit vulnerable networks such as CloudGuard, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark technology.
In an updated notice, Check Point explained that this vulnerability allows an attacker to read certain information on Internet-connected gateways with remote VPN or mobile access enabled. The recorded attack attempts are mainly aimed at remote access scenarios through old local accounts with password authentication that is not recommended.
After installing the patch, all login attempts using weak credentials and authentication methods will be automatically blocked and logged.
Although Check Point reported that attacks targeting CVE-2024-24919 began around May 24, mnemonic said it had seen attempts to exploit the vulnerability in its customers ' networks since April 30. The company noted that this vulnerability is "particularly critical" due to the ease of remote operation, as it does not require user interaction or any privileges on the attacked Check Point devices.
According to mnemonic, the vulnerability allows attackers to extract password hashes for all local accounts, including accounts used to connect to Active Directory. Weak passwords can be cracked, leading to further misuse and possible lateral movement within the network.
It was noticed that attackers extracted ntds. dit, a database that stores Active Directory data about users, groups, security descriptors, and password hashes, from compromised systems within 2-3 hours after logging in with a local user.
The vulnerability was also used to extract information that allowed attackers to move inside the victim's network and abuse Visual Studio code to tunnel malicious traffic.
mnemonic advises Check Point customers to immediately update affected systems to the patched version and remove all local users on vulnerable security gateways. Administrators are also encouraged to change passwords and accounts for LDAP connections to Active Directory, analyze logs for signs of compromise, such as abnormal behavior and suspicious login attempts, and, if possible, update the IPS Check Point signatures to detect exploitation attempts.
Check Point reported that attackers have been actively exploiting a critical vulnerability in the Check Point VPN remote access system since the end of April, which allows them to steal Active Directory data for further distribution within victims ' networks.
On May 27, Check Point warned its customers that attacks targeted their security systems through outdated local VPN accounts with unreliable password-based authentication.
Further investigation revealed that hackers used the disclosure vulnerability CVE-2024-24919 (CVSS score 3.1: 7.5) to carry out attacks. The company has released patches to help customers block attempts to exploit vulnerable networks such as CloudGuard, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark technology.
In an updated notice, Check Point explained that this vulnerability allows an attacker to read certain information on Internet-connected gateways with remote VPN or mobile access enabled. The recorded attack attempts are mainly aimed at remote access scenarios through old local accounts with password authentication that is not recommended.
After installing the patch, all login attempts using weak credentials and authentication methods will be automatically blocked and logged.
Although Check Point reported that attacks targeting CVE-2024-24919 began around May 24, mnemonic said it had seen attempts to exploit the vulnerability in its customers ' networks since April 30. The company noted that this vulnerability is "particularly critical" due to the ease of remote operation, as it does not require user interaction or any privileges on the attacked Check Point devices.
According to mnemonic, the vulnerability allows attackers to extract password hashes for all local accounts, including accounts used to connect to Active Directory. Weak passwords can be cracked, leading to further misuse and possible lateral movement within the network.
It was noticed that attackers extracted ntds. dit, a database that stores Active Directory data about users, groups, security descriptors, and password hashes, from compromised systems within 2-3 hours after logging in with a local user.
The vulnerability was also used to extract information that allowed attackers to move inside the victim's network and abuse Visual Studio code to tunnel malicious traffic.
mnemonic advises Check Point customers to immediately update affected systems to the patched version and remove all local users on vulnerable security gateways. Administrators are also encouraged to change passwords and accounts for LDAP connections to Active Directory, analyze logs for signs of compromise, such as abnormal behavior and suspicious login attempts, and, if possible, update the IPS Check Point signatures to detect exploitation attempts.
