Attempts by threat actors to gain initial access to enterprise networks through Check Point VPNs involved the exploitation of a zero-day vulnerability, and the attacks appear to have started one month ago.
Check Point warned customers earlier this week that it had become aware of “a small number” of attempts to remotely gain access to enterprise networks through logins that leveraged old VPN local accounts protected by password-only authentication.
The cybersecurity firm initially released a hotfix to prevent password-only logins, but it did not mention the exploitation of a vulnerability.
However, further analysis showed that the attacks actually involved a previously unknown information disclosure vulnerability. Tracked as CVE-2024-24919, the zero-day allows hackers to obtain information on internet-connected network security gateways that have remote access VPN or mobile access enabled.
CVE-2024-24919 has been found to impact Check Point Security Gateways with IPsec VPN, Remote Access VPN or the Mobile Access blade enabled. Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark products are affected.
MDR and threat intelligence firm Mnemonic reported seeing attacks exploiting CVE-2024-24919 in its customers’ environments since April 30.
The company explained that the vulnerability allows threat actors to enumerate and extract password hashes for all local accounts.
“The full extent of the consequences is still unknown. However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network,” Mnemonic said.
“The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely,” the company warned.
Mnemonic noted that the attacks appear to be linked to activity it described earlier this month, which involved the misuse of Visual Studio Code for traffic tunneling. In those attacks, threat actors exploited CVE-2024-24919 to extract user information that was then used to move laterally in the compromised network.
Related: New ‘TunnelVision’ Technique Leaks Traffic From Any VPN System
Related: Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks
Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability