Threat actors have been exploiting a high-severity Check Point Remote Access VPN zero-day since at least April 30, stealing Active Directory data needed to move laterally through the victims' networks in successful attacks.
Check Point warned customers on Monday that attackers are targeting their security gateways using old VPN local accounts with insecure password-only authentication.
The company subsequently discovered the hackers were exploiting an information disclosure flaw in these attacks and released hotfixes to help customers block exploitation attempts against vulnerable CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.
After applying the hotfix released today, all login attempts using weak credentials and authentication methods will be blocked automatically and logged.
Check Point also provides additional information about CVE-2024-24919 and hotfix installation instructions in this support document.
While Check Point shared that the attacks targeting CVE-2024-24919 as a zero-day started around May 24, cybersecurity company mnemonic warned today that it observed exploitation attempts in some of its customer environments since April 30.
Dit, a database that stores Active Directory data on users, groups, security descriptors, and password hashes, from compromised customers within 2-3 hours of logging in with a local user.
The vulnerability has also been exploited to extract information which allowed the attackers to move laterally within the victim's network and misuse Visual Studio Code to tunnel malicious traffic.
Mnemonic advises Check Point customers to immediately update the affected systems to the patched version and remove any local users on vulnerable security gateways.
Admins are also recommended to rotate passwords/accounts for LDAP connections from the gateway to Active Directory, conduct post-patch searches in logs for signs of compromise, such as anomalous behavior and suspicious logins, and, if available, update the Check Point IPS signature to detect exploitation attempts.
Check Point releases emergency fix for VPN zero-day exploited in attacks.
Hackers target Check Point VPNs to breach enterprise networks.
Google fixes eighth actively exploited Chrome zero-day this year.
Google fixes third actively exploited Chrome zero-day in a week.
Microsoft fixes Windows zero-day exploited in QakBot malware attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 29 May 2024 19:40:04 +0000