Hackers Exploit Check Point VPN Flaw to Steal Sensitive AD Credentials

Check Point has reported that since late April, cybercriminals have been actively exploiting a critical vulnerability in the Check Point VPN remote access system, allowing them to steal Active Directory data for further infiltration into victims’ networks.

On May 27, Check Point alerted its clients that attacks were targeting their security systems through outdated local VPN accounts with insecure password-based authentication.

Further investigation revealed that hackers used the information disclosure vulnerability CVE-2024-24919 (CVSS 3.1 score: 7.5) to conduct these attacks. The company has issued patches to help clients block attempts to exploit vulnerable networks, including CloudGuard, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark.

In an updated advisory, Check Point explained that this vulnerability allows an attacker to read specific information on internet-connected gateways with VPN remote access or mobile access enabled. Recorded attack attempts have primarily targeted remote access scenarios through old local accounts with discouraged password-based authentication.

Following the installation of the patch, all login attempts using weak credentials and authentication methods will be automatically blocked and logged.

While Check Point reported that attacks targeting CVE-2024-24919 began around May 24, cybersecurity firm mnemonic observed exploitation attempts in their clients’ networks starting April 30. The firm noted that this vulnerability is particularly critical due to the ease of remote exploitation, as it does not require user interaction or any privileges on the targeted Check Point devices.

According to mnemonic, the vulnerability allows attackers to extract password hashes for all local accounts, including those used to connect to Active Directory. Weak passwords can be cracked, leading to further misuse and potential lateral movement within the network.

It was observed that attackers extracted ntds.dit, the database containing Active Directory data on users, groups, security descriptors, and password hashes, from compromised systems within 2-3 hours of logging in with a local user.

The vulnerability was also used to extract information that allowed attackers to move laterally within the victim’s network and abuse Visual Studio code for tunneling malicious traffic.

mnemonic advises Check Point clients to immediately update affected systems to the patched version and remove all local users on vulnerable security gateways. Administrators are also recommended to change passwords and accounts for LDAP connections to Active Directory, analyze logs for signs of compromise such as anomalous behavior and suspicious login attempts, and, if possible, update Check Point IPS signatures to detect exploitation attempts.