CVE-2024-24919 Exploitation, Veriti Proactive Remediation
2024-6-3 19:0:45 Author: securityboulevard.com(查看原文) 阅读量:22 收藏

Over the past few days, there has been a significant rise in exploitation attempts of the Check Point vulnerability identified as CVE-2024-24919. This increase is not isolated but part of a larger pattern of sophisticated cyber attacks that utilize both manual and automated tools to scan and exploit vulnerabilities across various VPN systems.

Technical Overview of CVE-2024-24919

This high-severity vulnerability predominantly impacts devices configured with IPSec VPN or Mobile Access software blades. It exploits a path traversal flaw, allowing attackers to access all resources on the gateway without any user interaction or authentication.

The exploitation patterns for CVE-2024-24919 include extracting password hashes for local accounts and potentially accessing the ‘ntds.dit’ file from Active Directory servers. System logs such as /var/log/messages, /var/log/audit/audit.log, and /var/log/auth record logs of successful administrative panel or SSH logins, which could indicate an exploit.

In response, Check Point has released several hotfixes and recommends resetting LDAP passwords and implementing other security measures to mitigate the risk. However, the exploit’s simplicity and severe implications make it a potent tool for cyber criminals.

Automation in Attack Strategies

Attackers have intensified their operations by utilizing automation tools like the FUF Security Scanner and VER0 Nikto Security Scanner. These tools enable them to efficiently discover and exploit multiple vulnerable VPNs across a broad spectrum, indicating a shift towards more systematic and wide-reaching cyber-attacks.

Our investigations reveal that these attacks target numerous industries and countries, with tens of thousands of exploit attempts documented. The scope and precision of these attacks suggest that sophisticated threat actors, possibly linked to cyber criminal groups like Trigona Ransom, Risepro, and Androxgh0st, are orchestrating these activities.

We have discovered evidence that universities, government organizations, and manufacturing firms are likely using a version of the software that is vulnerable. Additionally, it is crucial to highlight that most instances are linked to service providers. Another noteworthy observation is the deployment of dozens of honeypots following the release of the CVE. Researchers have set up these honeypots to detect active exploitation and monitor any subsequent lateral movement activities.

Further analysis shows that this trend is part of a broader vulnerability landscape in 2024, affecting all major VPN vendors. These vulnerabilities pose a significant risk as they allow attackers to bypass traditional security mechanisms and gain unauthorized access to sensitive organizational data.

Jan 10

CVE-2024-21887

JAN 31

CVE-2024-21893

Feb 8

CVE-2024-21762

Feb 9

CVE-2024-22024

Apr 12

CVE-2024-3400

Apr 24

CVE-2024-20353 | CVE-2024-20359

Apr 28

CVE-2024-24919

Stay Proactive 

To assist in detecting and remediating these attacks, we have compiled a list of IP addresses associated with the exploitation of CVE-2024-24919 that can be blocked for their malicious activity: 

  • 108.181.7.17 
  • 137.220.244.18 
  • 38.181.79.230 
  • 172.247.15.222 
  • 103.100.209.24 
  • 185.153.151.137 
  • 156.234.193.18 
  • 23.95.44.80 
  • 154.38.105.109 
  • 154.223.21.222 
  • 172.247.15.236 
  • 154.90.44.73 
  • 203.160.68.12 
  • 23.227.203.36 
  • 82.180.133.120 
  • 87.120.8.173 
  • 66.42.63.227 
  • 184.95.51.10 
  • 172.233.254.133 
  • 167.99.112.236 

Veriti’s Proactive Exposure Assessment 

In response to these threats, the Veriti Exposure Assessment and Remediation platform has proactively adjusted configurations to block these exploitation attempts, delivering real-time, automated defenses without human intervention. By automatically blocking critical vulnerabilities like CVE-2024-24919 before they could be exploited, Veriti users enjoy proactive threat management without any business disruptions. 

We have been using Veriti for a year now. Our security policies have been improved and our general security hygiene is in a better state. We also enabled the automatic IoC feature as remediating the numerous IoCs daily was getting cumbersome.

The true value of Veriti was on display in the recent [Check Point] vulnerability.

We are a Check Point Elite Partner and the vendor reached out to us about an issue that surfaced around VPNs. The issue eventually made it to a CVE status, and we were working with our customers on a mitigation plan and taking the recommended steps by the vendor.

We had not gotten to patch our own firewalls, but when I checked Veriti for the CVE it had already blocked an attempt to exploit the vulnerability.

Veriti gives us peace of mind that we are protected even when we have not patched yet. This is what security tools are supposed to do. Protect you from yourself.

Scott Perzan

Director of IT and Security Services Technology , Atlantic Data Security

Conclusion 

The persistent and evolving nature of cyber threats like those exploiting CVE-2024-24919 underscores the necessity for organizations to adopt a proactive, intelligence-driven approach to cyber security. Veriti’s solutions provide the advanced capability to detect, analyze, and remediate threats safely, in real-time, ensuring that your security posture is responsive to dynamic threats. 

*** This is a Security Bloggers Network syndicated blog from VERITI authored by Veriti Research. Read the original post at: https://veriti.ai/blog/cve-2024-24919-exploitation-veriti-proactive-remediation/


文章来源: https://securityboulevard.com/2024/06/cve-2024-24919-exploitation-veriti-proactive-remediation/
如有侵权请联系:admin#unsafe.sh