Ransomware Gang Exploits Critical Check Point VPN Flaw

A critical zero-day flaw in Check Point VPNs is being actively exploited by the Qilin ransomware gang to infiltrate corporate networks.

Cybersecurity firm Check Point has released an emergency patch for a critical zero-day vulnerability in its Remote Access VPN products. The flaw, tracked as CVE-2024-24919, allows attackers to read sensitive files on a company's Security Gateways. This can expose password hashes and other credentials, giving attackers a crucial foothold inside a private network. The vulnerability was discovered after Check Point identified a small number of attacks against enterprise customers that began as early as April 30th. Attackers specifically targeted older, locally managed gateways that still used simple password-only authentication. By exploiting the flaw, they were able to steal Active Directory data, which contains user credentials and a map of the entire corporate network.

Check Point has linked these attacks to the Qilin ransomware gang, a known group that targets critical industries. By leveraging this VPN vulnerability, the group can bypass perimeter defenses to gain initial access. Once inside, they can move laterally across the network, escalate their privileges, and ultimately deploy ransomware to encrypt critical systems and demand payment. This makes the vulnerability extremely dangerous for any organization using the affected Check Point products, as it creates a direct pathway for one of the most destructive types of cyberattacks. The flaw impacts Security Gateways with the Remote Access VPN or Mobile Access features enabled, potentially leading to significant financial and operational disruption if left unpatched.

In response, Check Point is urging all customers to apply the new hotfixes immediately. The company also strongly recommends disabling outdated local accounts that rely on password-only authentication, advising a shift to more secure methods like multi-factor authentication (MFA). Beyond patching, security teams must actively hunt for signs of compromise. This includes reviewing system logs for unusual login activity, checking for unauthorized access to Active Directory, and scanning for other indicators that an attacker may have already breached their environment. Check Point has provided technical guidance and indicators of compromise to aid defenders in their investigation efforts.

A trusted security product, the VPN, has become an entry point for a dangerous ransomware gang. This turns a company's primary defense into its biggest vulnerability, allowing attackers to bypass the perimeter and directly access the internal network.

A successful exploit can lead to a full-blown ransomware attack, causing massive business disruption, data loss, and significant financial costs from ransom payments, recovery efforts, and reputational damage.