CVE-2024-24919 Detection: Zero-Day Vulnerability Actively Exploited for In-the-Wild Attacks Against Check Point’s VPN Gateway Products
- CVE-2024-5806 Detection: A New Authentication Bypass Vulnerability in Progress MOVEit Transfer Under Active Exploitation - 26.06.2024
- GrimResource Attack Detection: A New Infection Technique Abuses Microsoft Management Console to Gain Full Code Execution - 25.06.2024
- What Is Threat Intelligence? - 21.06.2024
Table of contents:
There is a growing interest among hacking collectives in exploiting remote-access VPN environments by commony abusing zero-day vulnerabilities as entry points and attack vectors into enterprises. A novel critical zero-day vulnerability in Check Point Network Security gateway products tracked as CVE-2024-24919 has hit the headlines. Since April 2024, the flaw has been exploited in in-the-wild VPN attacks, already impacting a set of VPN solutions and cybersecurity vendors. The vulnerability gives attackers the green light to gain access to specific data on Internet-connected Gateways with enabled remote access VPN or mobile one.
Detect CVE-2024-24919 Exploits
Seeing the CVE-2024-24919 is critical and trivial to exploit, providing attackers an easy way to get remote access to sensitive enterprise assets, security professionals require a reliable source of CTI and curated detection content to identify possible intrusions on time. SOC Prime Platform for collective defense offers a global feed on the latest TTPs serving detections for emerging threats under a 24-hour SLA so you can stay on top of trending CVEs.
The rule by the SOC Prime Team below is based on publicly available PoC and helps security experts identify CVE-2024-24919 exploits. The detection is compatible with 30 SIEM, EDR, and Data Lake solutions, mapped to the MITRE ATT&CK framework, and enriched with actionable CTI & extensive metadata to smooth out threat investigation.
To stay on top of possible intrusions and remediate the risk of a breach, cyber defenders might explore the entire collection of relevant algorithms for proactive vulnerability detection and management. Just hit the Explore Detections button below and immediately drill down to a curated detection stack.
CVE-2024-24919 Analysis
Attackers are driven to access organizations of diverse sizes and maturity levels through remote-access setups to identify relevant enterprise assets and users. They are also striving to search for ways to identify security bugs and weaponize them to maintain persistence on crucial enterprise assets.
Check Point has recently issued an important security update warning the global cyber defender community about a new zero-day vulnerability in its Network Security gateway products, which has been exploited in the wild since mid-spring 2024. The vulnerability was discovered by the vendor on May 28, 2024. Successful exploitation attempts can lead to unauthorized access to sensitive information on the Security Gateway. The observed VPN attacks target remote access scenarios involving old local accounts that rely solely on password authentication.
Identified as CVE-2024-24919, the flaw affects CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.
According to Mnemonic, CVE-2024-24919 might be considered critical since it can be weaponized remotely without any user interaction or privileges, posing a significant risk to potentially affected organizations and individual users.
As CVE-2024-24919 mitigation measures, the vendor recommends promptly installing a hotfix on Check Point Network Security gateways to minimize the risks of VPN attacks due to vulnerability exploitation. The workaround is applicable to potentially impacted Security Gateway instances that have the IPsec VPN Blade enabled when included in the Remote Access VPN community or which have configurations with the Mobile Access Software Blade turned on.
As additional steps to strengthen the organization’s VPN security posture, Check Point also recommends continuously tracking local accounts, disabling them if unused, and applying additional levels of security protection apart from password-only authentication.
As VPN attacks surge and vulnerabilities are largely exploited in the wild, the risks of intrusions via multiple attack vectors are escalating, encouraging defenders to reshape their cyber defense strategies in response. Leveraging SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation, organizations can preempt attacks of any kind with cutting-edge tools and the global industry expertise at their disposal.
