{ "type": "bundle", "id": "bundle--b1a15b0e-d143-4e93-9a8c-45968fd29936", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:34:46.000Z", "modified": "2024-05-31T06:34:46.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--b1a15b0e-d143-4e93-9a8c-45968fd29936", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:34:46.000Z", "modified": "2024-05-31T06:34:46.000Z", "name": "OSINT - Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919)", "published": "2024-05-31T06:34:57Z", "object_refs": [ "indicator--b961c17e-db8a-4be8-b78b-d539efa198ea", "indicator--56c56e46-0e5e-4570-aa03-6b4e5ba3ae36", "indicator--a3faed60-387a-44c4-b02c-9d2ed3c2dd0b", "indicator--c3e64db4-27c6-488e-8d9c-715a1ba55769", "vulnerability--9934379a-5e34-494d-b3ac-fa751cf14c1f", "x-misp-object--dbd7a1d2-bdc4-4742-ada0-625cd033a6eb", "note--f2edd1c3-6e54-44a8-9a22-c294ceb3e31a" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "tlp:clear", "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b961c17e-db8a-4be8-b78b-d539efa198ea", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:24:52.000Z", "modified": "2024-05-31T06:24:52.000Z", "description": "Reconnaissance", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.180.133.120']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-05-31T06:24:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c56e46-0e5e-4570-aa03-6b4e5ba3ae36", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:24:52.000Z", "modified": "2024-05-31T06:24:52.000Z", "description": "Exploitation", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '87.120.8.173']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-05-31T06:24:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a3faed60-387a-44c4-b02c-9d2ed3c2dd0b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:24:52.000Z", "modified": "2024-05-31T06:24:52.000Z", "description": "Exploitation", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.227.203.36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-05-31T06:24:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c3e64db4-27c6-488e-8d9c-715a1ba55769", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:24:52.000Z", "modified": "2024-05-31T06:24:52.000Z", "description": "Exploitation", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.160.68.12']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-05-31T06:24:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--9934379a-5e34-494d-b3ac-fa751cf14c1f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:26:54.000Z", "modified": "2024-05-31T06:26:54.000Z", "name": "CVE-2024-24919", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"External analysis\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2024-24919" } ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--dbd7a1d2-bdc4-4742-ada0-625cd033a6eb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:28:55.000Z", "modified": "2024-05-31T06:28:55.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/", "category": "External analysis", "uuid": "6d30f9a7-3003-4ae6-b345-95194f84ea0f" }, { "type": "text", "object_relation": "summary", "value": "Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919)\r\n\r\nPublished date:29.05.2024\r\n\r\nmnemonic has several observations of the exploit being used in the wild. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely.", "category": "Other", "uuid": "ec805bd6-2a79-4f8a-8b11-4eda1c7516fa" }, { "type": "text", "object_relation": "title", "value": "Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919)", "category": "Other", "uuid": "01178c8b-8ad7-49f2-8a2c-59b6107de235" }, { "type": "text", "object_relation": "type", "value": "Blog", "category": "Other", "uuid": "704239a3-535e-438a-b02e-e2d19deb49a2" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "note", "spec_version": "2.1", "id": "note--f2edd1c3-6e54-44a8-9a22-c294ceb3e31a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2024-05-31T06:32:05.000Z", "modified": "2024-05-31T06:32:05.000Z", "abstract": "Report from - https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/ (1717137098)", "content": "# Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919)\r\n\r\nmnemonic has several observations of the exploit being used in the wild. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely. \r\n\r\n \r\n - Security or Threat Advisory \r\n A critical vulnerability has been discovered in Check Point Security Gateways with Remote Access VPN enabled, also referred to as the \"Mobile Access\" blade. The vulnerability also applies to instances where Check Point Mobile Secure Workspace with Capsule is used.\r\n\r\n The vulnerability is considered critical because it allows unauthorised actors to extract information from gateways connected to the Internet.\r\n\r\n mnemonic has observed attempts of exploitation in customer environments since April 30, 2024.\r\n\r\n ## Background: CVE-2024-24919\r\n\r\n Late in the evening on May 28, 2024, mnemonic was contacted by Check Point Norway, urging us to patch all customers with Remote Access VPN and Mobile Access enabled.\r\n\r\n The vulnerability in question impacts all Check Point gateways with the Mobile Access blade enabled, including Capsule Workspace. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH).\r\n\r\n The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown. However, it is known that password hashes of legacy local users with password-only authentication can be extracted, including service accounts used to connect to Active Directory. Weak passwords can be compromised, leading to further misuse and potential lateral movement within the network.\r\n\r\n ## Threat Intelligence assessment\r\n\r\n Check Point Software Technologies and mnemonic have observed attempts of exploiting this vulnerability.\r\n\r\n mnemonic has several observations of this exploit being used in the wild and is currently investigating activity related to the use of this vulnerability. The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely.\r\n\r\n We have observed threat actors extracting ntds.dit from compromised customers within 2-3 hours after logging in with a local user. mnemonic links this vulnerability to the activity described in our blog about the misuse of Visual Studio Code for traffic tunneling. CVE-2024-24919 was in that case used to extract user information which the threat actor then used to move laterally in the network.\r\n\r\n ## Affected systems\r\n\r\n The vulnerability is not tied to specific software versions. Remediations and fixes will need to be implemented in the form of a hotfix released after the vulnerability's announcement.\r\n\r\n Gateways using only Site-to-Site IPSEC VPN are not affected.\r\n\r\n ## Recommendations\r\n\r\n **All gateways with Mobile Access blade active (or formerly active) should be treated as vulnerable.**\r\n\r\n **Organisations using Check Point Capsule Workspace are also vulnerable due to the Mobile Access blade being used by the Capsule solution.**\r\n\r\n To mitigate the risks associated with CVE-2024-24919, organisations are advised to:\r\n\r\n \r\n * Immediately update the affected systems to the patched version. For more information, see this article written by Check Point\r\n * Remove any local users on the gateway\r\n * Rotate passwords / accounts for LDAP-connections from gateway to Active Directory\r\n * Do post-patch searches in logs (as documented in this Check Point article) for signs of compromise / anomalous behavior / logins\r\n * If available, update Check Point IPS signature to detect exploitation attempts\r\n \r\n mnemonic also recommends that any login \"actions\" with \"password\" as the authentication type in the \"blade\" \"Mobile Access\" is cross-checked with legitimate activity. For this purpose, Check Point recommends to use the following query in SmartConsole: action:\"Log In\" AND auth\\_method:Password AND blade:\"Mobile Access\"\r\n\r\n Check Point has released several IPS rules to detect exploit activity, but it requires that the vulnerable Remote Access gateway is behind a Security Gateway and that the IDS/IPS blade is enabled. If you have IDS or other network sensor in front of the Remote Access gateway, one could look for the following URI path: https://IP/clients/MyCRL being used as a way to detect exploitation attempts.\r\n\r\n ## Detection coverage for Argus MDR customers\r\n\r\n For Argus MDR customers, mnemonic has initiated the following actions:\r\n\r\n \r\n * mnemonic is currently reviewing log data for signs of brute force or newly created / used local users\r\n * Signatures that detect all logins with the use of static passwords have been deployed\r\n * IOCs which were earlier involved in compromising customers with similar tech stacks are given extra attention\r\n * The Signature Development Team is currently investigating the possibility to create precise detections\r\n * Retroactive searches in available data are performed for customers known to be using vulnerable Check Point products\r\n \r\n ## Actions taken for Argus Security Operations (ASO) customers\r\n\r\n For mnemonic ASO customers, mnemonic has initiated the following actions:\r\n\r\n \r\n * mnemonic is checking all customer deployments for any usage of Mobile Access blade and local users\r\n * Customer appliances for mnemonic ASO Premium and ASO Standard customers have been patched according to contract terms\r\n * mnemonic NOC is performing additional hunting for indicators of compromise post-patching\r\n * mnemonic NOC is notifying all customers with Mobile Access licenses from mnemonic, offering advice and assistance in handling\r\n \r\n ## IOCs\r\n\r\n The following IOCs have been observed in customer environments between April 30, 2024, and today (May 29, 2024):\r\n\r\n \r\n * Reconnaissance IP: 82.180.133[.]120\r\n * Exploitation IP: 87.120.8[.]173\r\n * Exploitation IP: 23.227.203[.]36\r\n * Exploitation IP: 203.160.68[.]12\r\n \r\n We use cookies to secure and enhance your website experience. Strictly necessary cookies are required for the site to function, while performance cookies are used for anonymous usage analytics. Find more information in our cookie notice.\r\n\r\n Accept all cookies Strictly necessary", "object_refs": [ "report--b1a15b0e-d143-4e93-9a8c-45968fd29936" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }