The security community is currently managing two significant developments that require immediate attention. Check Point has confirmed a critical zero-day vulnerability in its Security Gateways is being actively targeted, while separate reports indicate a campaign of unauthorized data access affecting Snowflake customers. These events direct focus to two distinct areas of the modern enterprise: the physical network edge and cloud-based data warehouses. For security teams, the priority is now to move including assessment and active containment by auditing both perimeter hardware and third-party identity management.
The issue affecting Check Point, tracked as CVE-2024-24919, involves a vulnerability that allows unauthorized parties to bypass authentication and read sensitive information on internet-facing gateways. This affects Check Point’s Quantum Spark, CloudGuard, and other gateway product lines. This development fits a broader pattern where threat actors focus on edge devices—such as VPNs and firewalls, that often operate outside the visibility of standard endpoint detection and response (EDR) tools. By compromising these gateways, unauthorized actors can establish a presence that circumvents traditional perimeter defenses.
Simultaneously, researchers are tracking unauthorized data transfers involving Snowflake environments. While Snowflake has clarified that its own infrastructure remains secure, reports link this activity—including claims regarding Ticketmaster customer data, to compromised credentials. The common factor in these events appears to be the use of valid credentials on accounts that lack multi-factor authentication (MFA). This reinforces the reality that cloud platform security relies heavily on the identity management practices of the organizations using them.
Technically, the Check Point vulnerability is an information disclosure issue. It allows an unauthenticated remote actor to read arbitrary files. In practice, this enables the retrieval of critical system files, such as /etc/shadow, which contains encrypted passwords. If administrators rely on local accounts for access, these passwords can be cracked offline, potentially allowing lateral movement into the internal network. The risk is elevated when the "Remote Access" or "Mobile Access" blades are enabled, a configuration frequently used to support remote work.
Regarding Snowflake, the technical method involves the use of "demo" or legacy account credentials, likely harvested from previous, unrelated malware infections. Unauthorized actors use these credentials to log into the Snowflake web-based management console. Once authenticated, they execute large-scale export commands to move data to external storage. This aligns with MITRE ATT&CK T1078 (Valid Accounts), where the actor bypasses software vulnerabilities by simply using available keys.
For defenders, we recommend a two-part response strategy. First, for Check Point environments, administrators should apply the released hotfixes for R81.10, R81, R80.40, and other affected versions immediately. Beyond patching, it is essential to verify the integrity of local accounts. We advise resetting passwords for all local users and ensuring gateways do not rely solely on local authentication for administrative access. Teams should review logs for unauthorized attempts to access sensitive system paths and check for any new, unauthorized local accounts.
For Snowflake and broader SaaS environments, these events necessitate an audit of identity policies. We recommend enforcing MFA across all accounts, without exceptions for service accounts or "emergency" admin logins where possible. If legacy integrations prevent MFA, organizations should implement Network Policies (IP allow-listing) to restrict access to known corporate IP addresses. Monitoring should be configured to alert on large "COPY INTO" or "SELECT *" operations that deviate from baseline data transfer volumes.
These developments reflect a strategic shift in the threat environment. Threat actors are moving away from disruptive endpoint activity toward quieter data extraction and infrastructure compromise. The focus on edge gateways and cloud identity suggests that the perimeter has evolved to include both physical edge devices and the "identity perimeter."
The full scope of the Check Point activity is still being mapped, though the technique indicates a specific level of technical capability. Regarding Snowflake, the total number of affected organizations is being assessed. Security teams should remain vigilant for further updates as forensic investigations proceed.