Report on CVE-2024-24919: A Check Point Security Gateway Vulnerability

Introduction

CVE-2024-24919 is a critical vulnerability that potentially allows an attacker to read certain information on Check Point Security Gateways. This vulnerability can be exploited when the gateways are connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. The severity of this vulnerability is highlighted by its high DVE score of 9.93, indicating a high chance of exploitation. This report aims to provide an overview of the threat actors involved, their targets, organizations at greatest risk, and steps for remediation.

Threat Actors

CVE-2024-24919 is associated with several Advanced Persistent Threat (APT) groups, including UNC2452, APT29, Royal, BITWISE SPIDER, and Akira. These threat actors are known for their sophisticated tactics, techniques, and procedures (TTPs) in carrying out cyber attacks. UNC2452, also known as DarkSide, gained notoriety for its involvement in the Colonial Pipeline ransomware attack in 2021. APT29, also known as Cozy Bear, is a Russian state-sponsored group known for its cyber espionage activities. Royal is a Chinese APT group that primarily targets organizations in the defense and aerospace sectors. BITWISE SPIDER is a cybercriminal group known for its involvement in financially motivated attacks. Akira is a relatively new APT group that has been active in targeting organizations in the Asia-Pacific region.

Targets

The targets of CVE-2024-24919 are Check Point Security Gateways connected to the internet with remote Access VPN or Mobile Access Software Blades enabled. These gateways are commonly used by organizations to secure their network infrastructure and provide remote access to their employees. The vulnerability allows an attacker to read certain information on these gateways, potentially compromising sensitive data and gaining unauthorized access to the organization's network.

Organizations at Greatest Risk

Organizations that heavily rely on Check Point Security Gateways and have remote Access VPN or Mobile Access Software Blades enabled are at the greatest risk. This includes organizations in various sectors such as government, finance, healthcare, and critical infrastructure. Government agencies and defense organizations are particularly attractive targets for APT groups like Royal and APT29. Financial institutions are at risk due to the potential for financial gain by groups like BITWISE SPIDER. Additionally, organizations with a large number of remote employees who rely on VPN access are also at high risk.

Remediation Steps

To mitigate the risk posed by CVE-2024-24919, organizations should take the following steps:

1. Apply the Security Fix: Check Point has released a security fix that addresses the vulnerability. Organizations should ensure that they have the latest software updates installed on their Check Point Security Gateways. This fix will patch the vulnerability and prevent potential exploitation.

2. Monitor for Exploitation: Organizations should closely monitor their network traffic and security logs for any signs of exploitation related to CVE-2024-24919. Intrusion detection and prevention systems should be configured to detect and block any attempts to exploit this vulnerability.

3. Review Access Controls: Organizations should review and strengthen their access controls for remote Access VPN and Mobile Access Software Blades. This includes implementing strong authentication mechanisms, enforcing least privilege access, and regularly reviewing and revoking unnecessary access privileges.

4. Educate Employees: Employee awareness and training are crucial in preventing successful attacks. Organizations should educate their employees about the risks associated with CVE-2024-24919 and provide guidance on best practices for secure remote access.

5. Implement Network Segmentation: By implementing network segmentation, organizations can limit the potential impact of a successful exploitation of CVE-2024-24919. Critical systems and sensitive data should be isolated from the rest of the network, reducing the attacker's ability to move laterally and access valuable assets.

6. Engage in Threat Intelligence Sharing: Organizations should actively participate in threat intelligence sharing communities and forums to stay updated on the latest information related to CVE-2024-24919. Sharing information about observed attacks and indicators of compromise can help the broader cybersecurity community in detecting and mitigating this vulnerability.

7. Regularly Update and Patch: It is essential for organizations to maintain a proactive approach to cybersecurity by regularly updating and patching their systems. This includes not only the Check Point Security Gateways but also all other software and hardware components within the organization's network infrastructure.

By following these remediation steps, organizations can significantly reduce the risk posed by CVE-2024-24919 and protect their network infrastructure and sensitive data from potential exploitation by threat actors.

References

CVE-2024-24919 - Taken from Cybersixgill’s proprietary vulnerability intelligence (DVE)