Heightened Exploit Attempts on Check Point's Recent VPN Zero-Day Vulnerability

Introduction

A significant surge in exploitation attempts targeting a newly disclosed information disclosure flaw in Check Point's VPN technology has been observed recently. This has underscored the urgent need for organizations to address the vulnerability immediately.

Critical Vulnerability Details

The flaw, identified as CVE-2024-24919, affects multiple versions of Check Point's security gateways, including CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. All these products feature IPsec VPN functionality and are crucial for network security.

Dangerous Potential

Check Point has issued a warning that this vulnerability allows attackers to access sensitive information within the security gateways. In some cases, this could enable lateral movement within a compromised network and potentially allow attackers to gain domain admin privileges. The vulnerability was disclosed on May 28, along with a hotfix, amidst reports of active exploitation attempts that began as early as April.

Escalating Exploit Activity

According to a recent report by the Internet traffic scanning firm Greynoise, exploitation attempts targeting CVE-2024-24919 have increased rapidly since May 31, following the public release of a proof-of-concept. Initial attempts were detected from a Taiwan-based IP address using a non-working exploit, but effective exploitation soon followed from a New York-based IP address. By June 5, Greynoise had identified attempts from 782 unique IP addresses globally.

Widespread Vulnerability

A recent scan by Censys revealed approximately 13,754 internet-exposed systems running vulnerable versions of the affected Check Point software. This includes over 12,100 Quantum Spark gateway devices, about 1,500 Quantum Security Gateways, and around 137 CloudGuard appliances. Notably, a significant concentration of these exposed hosts is located in Japan, with other high-risk areas including Italy, the US, and Israel. Alarmingly, less than 2% of these systems were running a patched version of the software at the time of the scan.

Ease of Exploitation

Researchers have characterized the Check Point flaw as relatively easy to discover and exploit. It has been assigned a severity rating of 8.6 out of 10 on the CVSS scale, with exploits requiring low complexity, no user interaction, and no special privileges. The US Cybersecurity and Information Security Agency (CISA) has added CVE-2024-24919 to its catalog of known exploited vulnerabilities, mandating federal civilian executive branch agencies to apply mitigations by June 20 or cease using the affected products until fixed.

Mitigation Strategies

Check Point advises affected organizations to install the latest Jumbo Hotfix Accumulators to address this critical vulnerability. If immediate deployment of the Jumbo Hotfix Accumulator is not feasible, the security hotfix for CVE-2024-24919 should be applied. This is especially crucial for any security gateway and cluster with the IPSec VPN Software Blade feature enabled as part of the Remote Access VPN Community, or where the Mobile Access Software Blade feature is active.

Conclusion

The active exploitation of CVE-2024-24919 highlights the critical importance of timely vulnerability management and patch application. Organizations must ensure their systems are up-to-date and secure to prevent such breaches. Staying informed with the latest cybersecurity updates and implementing robust security measures, including stolen credentials detection, darknet monitoring services, dark web surveillance, compromised data tracking, digital footprint analysis, brand protection, brand impersonation defense, online risk evaluation, and digital threat scoring, are essential strategies to protect digital assets from emerging threats.

By maintaining vigilance and adhering to best practices in cybersecurity, organizations can significantly reduce their risk of falling victim to these sophisticated and escalating cyber threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.