Check Point is warning of a zero-day vulnerability in its Network Security gateway products that threat actors have exploited in the wild.
Tracked as CVE-2024-24919 (CVSS score: 7.5), the issue impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.
“The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled,” Check Point said.
Hotfixes are available in the following versions –
- Quantum Security Gateway and CloudGuard Network Security Versions – R81.20, R81.10, R81, R80.40
- Quantum Maestro and Quantum Scalable Chassis – R81.20, R81.10, R80.40, R80.30SP, R80.20SP
- Quantum Spark Gateways Version – R81.10.x, R80.20.x, R77.20.x
The development comes days after the Israeli cybersecurity company warned of attacks targeting its VPN devices to infiltrate enterprise networks.
“By May 24, 2024, we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method,” it noted earlier this week.
This has now been traced back to a new high-severity zero-day discovered in Security Gateways with IPSec VPN, Remote Access VPN and the Mobile Access software blade.
Check Point did not elaborate on the nature of the attacks, but noted in an FAQ that the exploitation attempts observed so far focus on “remote access on old local accounts with unrecommended password-only authentication” against a “small number of customers.”
The targeting of VPN devices represents just the latest series of attacks to target network perimeter applications, with similar intrusions impacting devices from Barracuda Networks, Cisco, Fortinet, Ivanti, Palo Alto Networks, and VMware in recent years.
“Attackers are motivated to gain access to organizations over remote-access setups so they can try to discover relevant enterprise assets and users, seeking for vulnerabilities in order to gain persistence on key enterprise assets,” Check Point said.
Exploitation Attempts Detected Since April 30, 2024
In an advisory published on Wednesday, cybersecurity firm mnemonic said it observed exploitation attempts involving CVE-2024-24919 and targeting its customer environments since April 30, 2024.
“The vulnerability is considered critical because it allows unauthorized actors to extract information from gateways connected to the internet,” the company said. “The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory.”
“However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network.”
The Norwegian company further described the shortcoming as critical and trivial to exploit owing to the fact that it does not require user interaction or privileges.
Evidence gathered so far shows that the vulnerability has also weaponized to extract Active Directory data (NTDS.dit) within 2-3 hours after logging in with a local user, subsequently allowing unknown actors to move laterally in the network and misuse remote development extensions in Visual Studio (VS) Code to tunnel network traffic for detection evasion.
“The threat actor used approximately three hours to execute their attack chain,” mnemonic noted, adding the technique has been put to use in a “cyber espionage context.”
(The story was updated after publication to include details of exploitation attempts shared by mnemonic.)