Investigating a Hacked Firewall | Checkpoint Security| LetsDefend SOC287 Case

This post is a cybersecurity investigation tutorial focusing on analyzing a security alert related to a web exploitation attempt on a Checkpoint Security Gateway. This is part of Let’s Defend SOC287 Case, aimed at guiding viewers through real-world cybersecurity incident response scenarios.

Certified Security Blue Team Level 1 Study Notes

HackTheBox Certified Defensive Security Analyst (CDSA) Study Notes

Introduction to the Case (SOC287)

• The alert was triggered by a rule detecting a possible web exploitation attempt.
• Specifically, it involved an arbitrary file read vulnerability in the Checkpoint Security Gateway, associated with CVE-2024–24918.
• Checkpoint Security Gateway serves as a next-generation firewall for corporate networks.

Attack Analysis:

• The attacker sent a POST request aiming to exploit the vulnerability.
• The URL in the request contained directory traversal (../) patterns, targeting the sensitive /etc/passwd file.
• The system detected this attempt due to recognizable exploitation patterns.

Vulnerability Details

• This vulnerability could allow attackers to read system files on the security gateway when it’s connected to the internet with Remote Access VPN or Mobile Access enabled.
• A security patch is available, emphasizing the importance of updating firmware.

Proof of Concept (PoC):

• An active proof-of-concept exploit for this vulnerability exists on GitHub, demonstrating how attackers can execute the exploit.

Log Analysis

• Investigation into logs revealed two POST requests from the attacker:
• The first successfully accessed the /etc/passwd file (response code 200).
• The second attempt to access /etc/shadow was blocked (403 Forbidden response).
• The attacker used Local File Inclusion (LFI) and Directory Traversal techniques.

Investigation Steps:

• Ownership of the case was taken, and a Playbook was initiated to guide the investigation.
• Log management tools were used to search for the attacker’s IP and assess network traffic.
• No evidence was found suggesting this was a planned penetration test.
• Threat intelligence tools like VirusTotal and ANY.RUN were used to assess the attacker’s IP.

Attack Direction & Outcome:

• The traffic originated from the internet to the company network (external to internal).
• The attack was partially successful, as the attacker accessed sensitive files.

Containment & Response

• Steps were initiated to contain the incident by isolating affected endpoints and applying security patches.
• Emphasis was placed on keeping systems updated and monitoring for similar threats.

Video Walkthrough