Attacks Surge on Check Points Recent VPN Zero-Day Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security


Attacks Surge on Check Points Recent VPN Zero-Day Flaw


One monitoring firm has detected exploitation attempts targeting CVE-2024-24919 from more than 780 unique IP addresses in the past week.



Exploit activity targeting a recent information disclosure flaw in Check Points VPN technology has soared in recent days, heightening the need for organizations to address the flaw immediately.
The vulnerability, identified as
CVE-2024-24919
, affects software in multiple versions of Check Points CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. All the affected products are Check Point security gateways with IPsec VPN functionality.
Check Point has warned of the vulnerability allowing attackers to access sensitive information in the security gateways that, in some instances, could allow them to move laterally on a compromised network and gain domain admin privileges. The security vendor disclosed the vulnerability May 28 —
along with a hotfix for it
— amid reports of active exploitation attempts. Check Point has identified the exploitation activity as having started in early April, nearly two months before disclosure.
In a report released this week, Internet traffic scanning firm Greynoise said it had detected
rapidly increasing exploitation
attempts targeting CVE-2024-24919 since May 31, or shortly after a proof-of-concept for the flaw became publicly available. According to Greynoise, initial attempts to target the vulnerability actually began a day earlier from a Taiwan-based IP address, but those involved a non-working exploit.
The first real exploit attempt originated from a New York-based IP address. By June 5, Greynoise detected as many as 782 IPs from around the world targeting the vulnerability. With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible, Greynoise advised.
A Censys scan earlier this week
identified some 13,754 Internet-exposed systems
running at least one of the three software products that Check Point has identified as affected by CVE-2024-24919. Some 12,100 of the exposed hosts were Check Point Quantum Spark gateway devices, about 1,500 were Quantum Security Gateways and some 137 were Check Point CloudGuard appliances. More than 6,000 of the Internet-exposed hosts were located in Japan. Other countries with a relatively high concentration of exposed Check Point appliances included Italy (1,012), the US (917), and Israel (845).
At the time of Censys scan, less than 2% of the Internet-exposed Check Point Quantum Spark gateways appeared to be running a patched version of the affected software.
Researchers at WatchTowr who analyzed the Check Point flaw have described it as not too difficult to find and
extremely easy to exploit.
Check Point has assigned the flaw a severity rating of 8.6 out of 10 on the CVSS scale and described exploits targeting it as involving low complexity, no user interaction, and no special user privileges.
The US Cybersecurity and Information Security Agency (CISA) has added CVE-2024-24919 to its catalog of
known exploited vulnerabilities
. All federal civilian executive branch agencies have until June 20 to either apply Check Points recommended mitigations for the flaw or to discontinue use of the affected products until they have fixed it. In the past, CISA and other organizations such as the FBI and the NSA have repeatedly warned about vulnerabilities in VPNs and other secure access technologies as presenting a high risk to organizations because of the extent to which
attackers have targeted these flaws
in recent years.
Check Point has recommended that affected organizations install its latest Jumbo Hotfix Accumulators to address the security vulnerability. Organizations that cannot immediately deploy the Jumbo Hotfix Accumulator — basically a package that contains
fixes for multiple issues
in multiple products — should install the security hotfix for CVE-2024-24919, Check Point noted.
Organizations should install the hotfix on any affected security gateway and cluster where the IPSec VPN Software Blade feature is enabled as part of the Remote Access VPN Community, or when the Mobile Access Software Blade feature is enabled, according to the security vendor.
This is a critical vulnerability thats being actively exploited in the wild, Censys warned. However, there are a couple of mitigating factors as well, the company noted. For one thing, the vulnerability only affects gateways with certain configurations. Also, successful exploitation does not necessarily mean full device compromise; other circumstances need to be in place, like the presence of exposed password files on your devices local filesystem.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attacks Surge on Check Points Recent VPN Zero-Day Flaw