CVE-2024-24919: Check Point VPN Zero-Day Exploited by Qilin Affiliate
- [01] Attackers are exploiting a zero-day vulnerability to steal credentials and deploy ransomware across corporate networks.
- [02] Affected systems include Check Point Quantum Spark, Maestro, and Force gateways with Remote Access VPN enabled.
- [03] Defenders must apply the vendor hotfix and immediately reset all local gateway account passwords.
Since early May 2024, threat actors have been actively targeting a critical Zero-Day vulnerability in Check Point Security Gateways. Identified as CVE-2024-24919, this information disclosure CVE allows unauthenticated attackers to read sensitive files on internet-connected gateways. According to Dark Reading, the vulnerability has been leveraged by affiliates of the Qilin Ransomware operation to facilitate initial access and internal reconnaissance.
The exploit focuses on gateways with the Remote Access VPN or Mobile Access Software Blades enabled. Once exploited, an unauthenticated attacker can gain access to sensitive system information, such as the etc/shadow file, which contains password hashes for local accounts. This data is then utilized for Lateral Movement within the internal network. The CVSS score reflects the severity of the threat, as it requires no user interaction and provides a direct path to credential theft and perimeter bypass.
Technical Analysis of CVE-2024-24919
The vulnerability is categorized as an arbitrary file read. In the context of a security gateway, this is particularly dangerous because it bypasses the traditional boundaries between the public internet and the internal management plane. Attackers have been observed targeting the /etc/shadow file to extract hashes for local accounts. If these accounts lack multi-factor authentication, the attacker can establish a persistent presence by logging back into the VPN using legitimate, albeit stolen, credentials.
Incident response findings indicate that Qilin ransomware lateral movement techniques often involve exploiting such gateway vulnerabilities to bypass the perimeter. Once inside, the actors move from the gateway to more sensitive infrastructure such as domain controllers or file servers. This TTP is consistent with sophisticated ransomware-as-a-service (RaaS) operations that prioritize gaining high-level administrative access as quickly as possible.
How to Detect CVE-2024-24919 Exploit and Unauthorized Access
Detecting this activity requires a detailed audit of gateway logs and internal traffic patterns. Security teams should look for unusual login attempts on the gateway, specifically those originating from unexpected geographical locations or utilizing local accounts that are rarely used for remote access. Monitoring for signs of C2 communication from the gateway to unknown external IP addresses is also a priority for defenders.
Furthermore, defenders should use their SIEM and EDR tools to audit account activity immediately following a suspected compromise of the gateway. The IoC list provided by the vendor includes specific file paths being accessed by unauthorized entities, which should be integrated into SOC monitoring rules for real-time alerting.
Check Point Quantum Security Gateway Patch Guidance
Check Point has released an emergency hotfix to address this vulnerability across several product lines, including Quantum Spark, Quantum Maestro, and Quantum Force. The Check Point Quantum Security Gateway patch guidance emphasizes that merely applying the patch may not be sufficient if the gateway was already compromised before the fix was implemented.
Because the exploit allows for the extraction of password hashes, any local account on the gateway must be considered compromised. Security administrators should follow these steps immediately:
- Apply the hotfix for the specific version of Gaia OS running on the appliance.
- Review all local gateway accounts and reset passwords for every user with access to the system.
- Audit the “Remote Access” and “Mobile Access” logs for any suspicious connections dating back to early May 2024.
- Ensure that all accounts, especially those with administrative or remote access privileges, are protected by multi-factor authentication.
The speed at which this vulnerability was weaponized highlights the inherent risk associated with internet-facing perimeter devices. These systems are often trusted components of the network architecture but can become the primary vector for mass-scale compromise if not patched rapidly.
Advertisement