Executive Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive mandating all Federal Civilian Executive Branch agencies to patch a critical zero-day vulnerability in Check Point VPN products within three days. This vulnerability, actively exploited as a zero-day, enables unauthenticated remote attackers to bypass authentication and gain access to internal networks via Check Point Remote Access VPN and Mobile Access gateways. The exploitation has been attributed to affiliates of the Qilin ransomware group, with confirmed breaches and ransomware deployments observed in the wild. The urgency of the directive underscores the severity of the threat, the sophistication of the adversaries, and the potential for widespread compromise if immediate action is not taken.
Threat Actor Profile
The primary threat actors exploiting this vulnerability are affiliates of the Qilin ransomware group, a prolific Ransomware-as-a-Service (RaaS) operation active since at least 2022. Qilin is known for its aggressive targeting of enterprise VPN infrastructure, leveraging zero-day and n-day vulnerabilities to gain initial access. The group operates a double-extortion model, exfiltrating sensitive data before encrypting victim environments and threatening public leaks on their dark web leak site. Qilin has been linked to over 400 victims globally, spanning critical infrastructure, government, healthcare, and private sector organizations. Their technical proficiency includes rapid weaponization of exploits, lateral movement using living-off-the-land techniques, and deployment of custom ransomware payloads tailored to the victim’s environment.
Technical Analysis of Malware/TTPs
The exploited vulnerability, tracked as CVE-2024-24919, affects Check Point Remote Access VPN, Mobile Access, and Spark firewall products. The flaw resides in the handling of the IKEv1 key exchange protocol, specifically when legacy remote access clients are enabled and machine certificate authentication is not enforced. Attackers can craft malicious IKEv1 negotiation packets to bypass authentication controls, establishing unauthorized VPN sessions without valid credentials.
Upon successful exploitation, adversaries gain direct access to the internal network, often with elevated privileges. Post-exploitation tactics observed include credential harvesting from memory and configuration files, deployment of Cobalt Strike or similar post-exploitation frameworks, and lateral movement via RDP, SMB, and remote PowerShell. The final stage involves the deployment of the Qilin ransomware payload, which encrypts files using robust cryptographic algorithms and appends a unique extension. The ransomware also drops ransom notes with instructions for contacting the operators and negotiating payment.
Network telemetry and forensic analysis have revealed the use of custom VPN client fingerprints, obfuscated command-and-control (C2) traffic, and anti-forensic measures such as log tampering and disabling of endpoint security controls. The attackers demonstrate a high level of operational security, rotating infrastructure and leveraging compromised VPN credentials for persistence.
Exploitation in the Wild
Exploitation of CVE-2024-24919 was first observed in early May 2024, with a significant uptick in attacks reported by Check Point and corroborated by third-party threat intelligence sources. The initial wave targeted organizations with exposed VPN gateways configured to accept legacy clients and IKEv1 connections. Attackers rapidly weaponized public proof-of-concept code, automating the scanning and exploitation of vulnerable endpoints.
Confirmed incidents include breaches at government agencies, financial institutions, and healthcare providers. In several cases, exploitation led to the deployment of Qilin ransomware, resulting in operational disruption, data exfiltration, and extortion demands. Incident response teams have identified evidence of reconnaissance, privilege escalation, and data staging prior to ransomware deployment, indicating a deliberate and methodical attack lifecycle.
The exploitation campaign is ongoing, with new victims reported daily. Attackers are leveraging anonymized infrastructure, including VPN chains and bulletproof hosting, to obfuscate their origin. The use of zero-day exploits and rapid post-exploitation activity highlights the need for immediate patching and enhanced monitoring.
Victimology and Targeting
Victims of this campaign span a diverse range of sectors, including government, critical infrastructure, healthcare, finance, and manufacturing. The common denominator among targeted organizations is the use of Check Point VPN products with legacy remote access configurations and insufficient authentication controls. Geographic distribution of victims is global, with a concentration in North America and Europe, reflecting the widespread adoption of Check Point solutions in these regions.
Attackers exhibit opportunistic targeting, scanning for vulnerable endpoints and prioritizing organizations with high-value data or critical operations. Post-compromise activity is tailored to the victim’s environment, with data exfiltration and ransomware deployment customized to maximize impact and leverage in extortion negotiations. The targeting of federal agencies prompted the CISA emergency directive, but private sector organizations are equally at risk and should consider themselves high-priority targets.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2024-24919. Organizations must apply the latest security updates released by Check Point for all affected products. Where patching is not immediately feasible, the following compensating controls are strongly recommended: disable support for legacy remote access clients, enforce IKEv2-only authentication, require machine certificate authentication for all VPN connections, and enable and update Intrusion Prevention System (IPS) signatures to detect exploitation attempts.
Continuous monitoring of VPN logs for anomalous authentication events, especially those leveraging IKEv1, is critical. Organizations should review network traffic for unexpected VPN connections from external IP addresses and investigate any signs of lateral movement or privilege escalation. Endpoint detection and response (EDR) solutions should be configured to detect and block known Qilin ransomware indicators, including file hashes, command-line artifacts, and C2 infrastructure.
Incident response plans should be updated to account for VPN-based initial access scenarios, and organizations are encouraged to participate in threat intelligence sharing communities to receive timely updates on indicators of compromise and evolving attacker tactics.
References
- Check Point Security Advisory for CVE-2024-24919
- CISA Known Exploited Vulnerabilities Catalog
- BleepingComputer: CISA orders feds to patch Check Point flaw exploited by ransomware gangs
- Reddit: Check Point links VPN zero-day attacks to Qilin ransomware gang
- MITRE ATT&CK Techniques: T1133, T1556, T1486
About Rescana
Rescana empowers organizations to proactively manage third-party cyber risk with a comprehensive TPRM platform that delivers continuous monitoring, automated risk assessments, and actionable intelligence. Our solutions enable security teams to identify, prioritize, and mitigate threats across their extended supply chain, ensuring resilience against emerging cyber risks. For questions or further information, please contact us at ops@rescana.com.
