misp-circl-feed/feeds/circl/misp/b1a15b0e-d143-4e93-9a8c-45968fd29936.json

192 lines
12 KiB
JSON
Raw Permalink Normal View History

2024-08-07 08:13:15 +00:00
{
"Event": {
"analysis": "2",
"date": "2024-05-31",
"extends_uuid": "",
"info": "OSINT - Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919)",
"publish_timestamp": "1717137297",
"published": true,
"threat_level_id": "3",
"timestamp": "1717137286",
"uuid": "b1a15b0e-d143-4e93-9a8c-45968fd29936",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": false,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Reconnaissance",
"deleted": false,
"disable_correlation": false,
"timestamp": "1717136692",
"to_ids": true,
"type": "ip-dst",
"uuid": "b961c17e-db8a-4be8-b78b-d539efa198ea",
"value": "82.180.133.120"
},
{
"category": "Network activity",
"comment": "Exploitation",
"deleted": false,
"disable_correlation": false,
"timestamp": "1717136692",
"to_ids": true,
"type": "ip-dst",
"uuid": "56c56e46-0e5e-4570-aa03-6b4e5ba3ae36",
"value": "87.120.8.173"
},
{
"category": "Network activity",
"comment": "Exploitation",
"deleted": false,
"disable_correlation": false,
"timestamp": "1717136692",
"to_ids": true,
"type": "ip-dst",
"uuid": "a3faed60-387a-44c4-b02c-9d2ed3c2dd0b",
"value": "23.227.203.36"
},
{
"category": "Network activity",
"comment": "Exploitation",
"deleted": false,
"disable_correlation": false,
"timestamp": "1717136692",
"to_ids": true,
"type": "ip-dst",
"uuid": "c3e64db4-27c6-488e-8d9c-715a1ba55769",
"value": "203.160.68.12"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1717136814",
"to_ids": false,
"type": "vulnerability",
"uuid": "9934379a-5e34-494d-b3ac-fa751cf14c1f",
"value": "CVE-2024-24919"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1717136935",
"uuid": "dbd7a1d2-bdc4-4742-ada0-625cd033a6eb",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1717136935",
"to_ids": false,
"type": "link",
"uuid": "6d30f9a7-3003-4ae6-b345-95194f84ea0f",
"value": "https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1717136935",
"to_ids": false,
"type": "text",
"uuid": "ec805bd6-2a79-4f8a-8b11-4eda1c7516fa",
"value": "Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919)\r\n\r\nPublished date:29.05.2024\r\n\r\nmnemonic has several observations of the exploit being used in the wild. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "title",
"timestamp": "1717136935",
"to_ids": false,
"type": "text",
"uuid": "01178c8b-8ad7-49f2-8a2c-59b6107de235",
"value": "Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919)"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1717136935",
"to_ids": false,
"type": "text",
"uuid": "704239a3-535e-438a-b02e-e2d19deb49a2",
"value": "Blog"
}
]
}
],
"EventReport": [
{
"name": "Report from - https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/ (1717137098)",
"content": "# Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919)\r\n\r\nmnemonic has several observations of the exploit being used in the wild. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely. \r\n\r\n \r\n - Security or Threat Advisory \r\n A critical vulnerability has been discovered in Check Point Security Gateways with Remote Access VPN enabled, also referred to as the \"Mobile Access\" blade. The vulnerability also applies to instances where Check Point Mobile Secure Workspace with Capsule is used.\r\n\r\n The vulnerability is considered critical because it allows unauthorised actors to extract information from gateways connected to the Internet.\r\n\r\n mnemonic has observed attempts of exploitation in customer environments since April 30, 2024.\r\n\r\n ## Background: CVE-2024-24919\r\n\r\n Late in the evening on May 28, 2024, mnemonic was contacted by Check Point Norway, urging us to patch all customers with Remote Access VPN and Mobile Access enabled.\r\n\r\n The vulnerability in question impacts all Check Point gateways with the Mobile Access blade enabled, including Capsule Workspace. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH).\r\n\r\n The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown. However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network.\r\n\r\n ## Threat Intelligence assessment\r\n\r\n Check Point Software Technologies and mnemonic have observed attempts of exploiting this vulnerability.\r\n\r\n mnemonic has several observations of this exploit being used in the wild and is currently investigating activity related to the use of this vulnerability. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely.\r\n\r\n We have observed threat actors extracting ntds.dit from compromised customers within 2-3 hours after logging in with a local user. mnemonic links this vulnerability to the activity described in our blog about the misuse of Visual Studio Code for traffic tunneling. CVE-2024-24919 was in that case used to extract user information which the threat actor then used to move laterally in the network.\r\n\r\n ## Affected systems\r\n\r\n The vulnerability is not tied to specific software versions. Remediations and fixes will need to be implemented in the form of a hotfix released after the vulnerability's announcement.\r\n\r\n Gateways using only Site-to-Site IPSEC VPN are not affected.\r\n\r\n ## Recommendations\r\n\r\n **All gateways with Mobile Access blade active (or formerly active) should be treated as vulnerable.**\r\n\r\n **Organisations using Check Point Capsule Workspace are also vulnerable due to the Mobile Access blade being used by the Capsule solution.**\r\n\r\n To mitigate the risks associated with CVE-2024-24919, organisations are advised to:\r\n\r\n \r\n * Immediately update the affected systems to the patched version. For more information, see this article written by Check Point\r\n * Remove any local users on the gateway\r\n * Rotate passwords / accounts for LDAP-connections from gateway to Active Directory\r\n * Do post-patch searches in logs (as documented in this Check Point article) for signs of compromise / anomalous behavior / logins\r\n * If available, update Check Point IPS signature to detect exploitation attempts\r\n \r\n mnemonic also recommends that any login \"actions\" with \"password\" as the authentication type in the \"blade\" \"Mobile Access\" is cross-checked with legitimate activity. For this purpose, Check Point recommends
"id": "642",
"event_id": "222826",
"timestamp": "1717137125",
"uuid": "f2edd1c3-6e54-44a8-9a22-c294ceb3e31a",
"deleted": false
}
]
}
}