Over the past few days, there has been a significant rise in exploitation attempts of the Check Point vulnerability identified as CVE-2024-24919. This increase is not isolated but part of a larger pattern of sophisticated cyber attacks that utilize both manual and automated tools to scan and exploit vulnerabilities across various VPN systems.
Technical Overview of CVE-2024-24919
This high-severity vulnerability predominantly impacts devices configured with IPSec VPN or Mobile Access software blades. It exploits a path traversal flaw, allowing attackers to access all resources on the gateway without any user interaction or authentication.
The exploitation patterns for CVE-2024-24919 include extracting password hashes for local accounts and potentially accessing the ‘ntds.dit’ file from Active Directory servers. System logs such as /var/log/messages, /var/log/audit/audit.log, and /var/log/auth record logs of successful administrative panel or SSH logins, which could indicate an exploit.
In response, Check Point has released several hotfixes and recommends resetting LDAP passwords and implementing other security measures to mitigate the risk. However, the exploit’s simplicity and severe implications make it a potent tool for cyber criminals.
Automation in Attack Strategies
Attackers have intensified their operations by utilizing automation tools like the FUF Security Scanner and VER0 Nikto Security Scanner. These tools enable them to efficiently discover and exploit multiple vulnerable VPNs across a broad spectrum, indicating a shift towards more systematic and wide-reaching cyber-attacks.
.ai-rotate {position: relative;}
.ai-rotate-hidden {visibility: hidden;}
.ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;}
Our investigations reveal that these attacks target numerous industries and countries, with tens of thousands of exploit attempts documented. The scope and precision of these attacks suggest that sophisticated threat actors, possibly linked to cyber criminal groups like Trigona Ransom, Risepro, and Androxgh0st, are orchestrating these activities.
We have discovered evidence that universities, government organizations, and manufacturing firms are likely using a version of the software that is vulnerable. Additionally, it is crucial to highlight that most instances are linked to service providers. Another noteworthy observation is the deployment of dozens of honeypots following the release of the CVE. Researchers have set up these honeypots to detect active exploitation and monitor any subsequent lateral movement activities.
Further analysis shows that this trend is part of a broader vulnerability landscape in 2024, affecting all major VPN vendors. These vulnerabilities pose a significant risk as they allow attackers to bypass traditional security mechanisms and gain unauthorized access to sensitive organizational data.
CVE-2024-21887
CVE-2024-21893
CVE-2024-21762
CVE-2024-22024
CVE-2024-3400
CVE-2024-20353 | CVE-2024-20359
CVE-2024-24919
Stay Proactive
To assist in detecting and remediating these attacks, we have compiled a list of IP addresses associated with the exploitation of CVE-2024-24919 that can be blocked for their malicious activity:
- 108.181.7.17
- 137.220.244.18
- 38.181.79.230
- 172.247.15.222
- 103.100.209.24
- 185.153.151.137
- 156.234.193.18
- 23.95.44.80
- 154.38.105.109
- 154.223.21.222
- 172.247.15.236
- 154.90.44.73
- 203.160.68.12
- 23.227.203.36
- 82.180.133.120
- 87.120.8.173
- 66.42.63.227
- 184.95.51.10
- 172.233.254.133
- 167.99.112.236
Veriti’s Proactive Exposure Assessment
In response to these threats, the Veriti Exposure Assessment and Remediation platform has proactively adjusted configurations to block these exploitation attempts, delivering real-time, automated defenses without human intervention. By automatically blocking critical vulnerabilities like CVE-2024-24919 before they could be exploited, Veriti users enjoy proactive threat management without any business disruptions.
The true value of Veriti was on display in the recent [Check Point] vulnerability.
We are a Check Point Elite Partner and the vendor reached out to us about an issue that surfaced around VPNs. The issue eventually made it to a CVE status, and we were working with our customers on a mitigation plan and taking the recommended steps by the vendor.
We had not gotten to patch our own firewalls, but when I checked Veriti for the CVE it had already blocked an attempt to exploit the vulnerability.
Veriti gives us peace of mind that we are protected even when we have not patched yet. This is what security tools are supposed to do. Protect you from yourself.
Scott Perzan
Director of IT and Security Services Technology , Atlantic Data Security
Conclusion
The persistent and evolving nature of cyber threats like those exploiting CVE-2024-24919 underscores the necessity for organizations to adopt a proactive, intelligence-driven approach to cyber security. Veriti’s solutions provide the advanced capability to detect, analyze, and remediate threats safely, in real-time, ensuring that your security posture is responsive to dynamic threats.
*** This is a Security Bloggers Network syndicated blog from VERITI authored by Veriti Research. Read the original post at: https://veriti.ai/blog/cve-2024-24919-exploitation-veriti-proactive-remediation/
This post was originally published on the 3rd party site mentioned in the title of this this site