LetsDefend SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]

We start with taking ownership of the alert.

Our next step is to create a case for starting our investigation.

After we start the playbook

We need to understand why the alert was triggered

We start with examining the rule name SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919] and using OSINT to find out more information about the reporte CVE

This is the screenshot of the NIST National Vulnerability database webpage about the above CVE
link: https://nvd.nist.gov/vuln/detail/cve-2024-24919

Description of the CVE:
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available. The base score (severity) of it is 8.6 which is HIGH.

From the description of the alert, we know it was "Allowed".

Our next step is to be collecting data to get a better understanding of the communication traffic.

Above is the screenshot of the Threat Intel tab on LetsDefend after we search for the source IP on it.

This is what we get after we search for the IP and look at its reputation on VirusTotal:

The geolocation of the IP address is Hong Kong.
We can now confirm the traffic is malicious and allowed, with low confidence since 2 out of 94 vendors found it malicious.

Checking the IP's reputation on AbuseIPDB:

Below is what we find on Cisco Talos Intelligence:

link: https://talosintelligence.com/reputation_center/lookup?search=203.160.68.12

The next step for us is examining the HTTP traffic:

This is a POC for the CVE exploit:
https://github.com/un9nplayer/CVE-2024-24919

Let's dive in the logs now.

Looks like our attacker is attempting to navigate the file system of a server to access sensitive files like /etc/passwd and /etc/shadow on Unix-based systems, which contains user account information.

Answer: LFI & RFI

Now we have to check if it is a planned test.
After checking the Email Security tab and searching for the IP addresses and the hostname, we see no such mail regarding a notification of any planned test. We can conclude it is NOT a planned test.

We saw the source IP is an external IP from Hong Kong.
so the traffic is moving from Internet -> Company Network

The attack was successful.

The next step for us is to contain the host.

Based on what we have uncovered during our investigation it would be wise for us to contain this server endpoint to prevent further damages.

Add artifacts:

Here in this case we need Tier 2 escalation

After adding Analyst's notes we finish the playbook and close the alert.