Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Check Point VPN Attacks Involve Zero-Day Exploited Since April

The recently disclosed Check Point VPN attacks involve the zero-day vulnerability CVE-2024-24919, which allows hackers to obtain passwords.

VPN attack

Attempts by threat actors to gain initial access to enterprise networks through Check Point VPNs involved the exploitation of a zero-day vulnerability, and the attacks appear to have started one month ago.

Check Point warned customers earlier this week that it had become aware of “a small number” of attempts to remotely gain access to enterprise networks through logins that leveraged old VPN local accounts protected by password-only authentication. 

The cybersecurity firm initially released a hotfix to prevent password-only logins, but it did not mention the exploitation of a vulnerability.

However, further analysis showed that the attacks actually involved a previously unknown information disclosure vulnerability. Tracked as CVE-2024-24919, the zero-day allows hackers to obtain information on internet-connected network security gateways that have remote access VPN or mobile access enabled. 

CVE-2024-24919 has been found to impact Check Point Security Gateways with IPsec VPN, Remote Access VPN or the Mobile Access blade enabled. Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark products are affected

MDR and threat intelligence firm Mnemonic reported seeing attacks exploiting CVE-2024-24919 in its customers’ environments since April 30.

The company explained that the vulnerability allows threat actors to enumerate and extract password hashes for all local accounts. 

“The full extent of the consequences is still unknown. However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network,” Mnemonic said.

Advertisement. Scroll to continue reading.

“The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely,” the company warned.

Mnemonic noted that the attacks appear to be linked to activity it described earlier this month, which involved the misuse of Visual Studio Code for traffic tunneling. In those attacks, threat actors exploited CVE-2024-24919 to extract user information that was then used to move laterally in the compromised network.

Related: New ‘TunnelVision’ Technique Leaks Traffic From Any VPN System

Related: Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks

Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.