CVE-2024-24919: Qilin Ransomware Gang Exploits Check Point VPN Zero-Day
- [01] Attackers are exploiting a zero-day vulnerability to gain unauthorized access and harvest credentials from corporate network gateways.
- [02] Vulnerable systems include Check Point Quantum Security Gateways, Spark, and CloudGuard Network Security with Remote Access enabled.
- [03] Security administrators must immediately apply the recommended hotfixes to mitigate the risk of credential theft and ransomware.
Check Point recently released critical security updates to address a Zero-Day vulnerability, identified as CVE-2024-24919, which is being actively exploited in the wild. Initial reports and a subsequent investigation by Check Point security researchers have linked the exploitation of this flaw to the Qilin Ransomware gang, according to BleepingComputer. The vulnerability allows unauthenticated attackers to read sensitive information on internet-connected gateways, potentially leading to unauthorized access to internal networks.
Technical Analysis of CVE-2024-24919
The vulnerability is categorized as an information disclosure flaw within the Check Point Quantum Security Gateways, Spark Gateways, and CloudGuard Network Security products. Specifically, the flaw exists in the Remote Access VPN and Mobile Access software blades. When these features are enabled, an attacker can craft a specific request to bypass security controls and read arbitrary files on the local file system of the gateway.
One of the primary targets for attackers exploiting this CVE is the /etc/shadow file. This file contains hashed passwords for local accounts. By retrieving these hashes, threat actors can perform offline brute-force attacks to crack passwords, leading to Privilege Escalation on the gateway itself. Once the gateway is compromised, the attacker can use the stolen credentials to establish a persistent presence, often as a precursor to Lateral Movement within the target organization’s internal infrastructure.
Attribution to the Qilin Ransomware Group
Check Point’s SOC and incident response teams observed several attempts to exploit this vulnerability starting in early May 2024. The TTP identified during these investigations strongly suggest the involvement of the Qilin ransomware group. This group has a history of targeting high-value infrastructure to facilitate large-scale data exfiltration and encryption. In the context of CVE-2024-24919, the attackers appear to be focused on harvesting credentials from the VPN gateways to gain initial access, which is a common first step in the MITRE ATT&CK framework for ransomware deployments.
The use of a Zero-Day vulnerability indicates a higher level of sophistication and resources from the threat actor, as they are bypassing traditional signature-based security measures. The speed at which the group moved from exploitation to internal network access highlights the severe risk posed to organizations that rely on these VPN gateways for secure remote connectivity.
Detection and Mitigation for Check Point VPN CVE-2024-24919
For organizations concerned about their exposure, understanding how to detect CVE-2024-24919 exploit attempts is a priority. Defenders should analyze their SIEM logs for unusual web requests directed at the VPN portal endpoints, particularly those involving directory traversal patterns. Furthermore, Check Point has provided specific IoC data and log signatures that EDR and network monitoring tools can use to identify successful file read attempts.
Check Point has released a series of hotfixes for affected versions, including R81.20, R81.10, R80.40, and several versions of the Spark firmware. For those seeking Check Point VPN CVE-2024-24919 patch guidance, the manufacturer recommends the following steps:
- Identify Vulnerable Gateways: Check if Remote Access VPN or Mobile Access is enabled. This can be verified by checking if the ‘vpn’ process is running or by reviewing the gateway object configuration in the management server.
- Apply Security Hotfixes: Install the latest Jumbo Hotfix Accumulator or the standalone security update provided by Check Point.
- Reset Local Account Passwords: Because attackers may have already exfiltrated the
/etc/shadowfile, it is highly recommended to reset all local account passwords on the gateway after the patch is applied. - Enable Multi-Factor Authentication: To prevent unauthorized access via stolen credentials, ensure that all VPN access requires MFA, moving toward a Zero Trust architecture.
Advertisement