Chinese hackers exploited a patched Check Point VPN flaw (CVE-2024-24919) to target organizations in Europe, Africa, and the Americas, researchers say.
All about the attack
The attacks, from June 2024 to January 2025, hit manufacturing firms using ShadowPad malware and some cases of NailaoLocker ransomware.
Check Point confirmed the flaw—fixed in May 2024—was used to steal VPN credentials and access networks.
Hackers exploited CVE-2024-24919, a vulnerability in Check Point’s Network Security gateways, to steal valid VPN credentials and gain initial access to targeted networks.
Once inside, they mapped the internal network and used tools like Remote Desktop Protocol (RDP) and Server Message Block (SMB) to move laterally, ultimately aiming for domain controllers to escalate their privileges.
To stay undetected, the attackers relied on a technique called DLL sideloading. This method uses legitimate Windows processes—such as FXSSVC.exe or LogonUI.exe—to load malicious DLL files placed in trusted directories like C:\PerfLogs.
This allowed them to install ShadowPad, a sophisticated modular backdoor known for its stealth capabilities and advanced command-and-control (C2) functions.
In some cases, the attackers also deployed NailaoLocker ransomware. However, researchers believe the ransomware use was secondary, possibly opportunistic rather than the main goal of the operation.
During Check Point’s investigation, they noticed that many of the compromised systems followed a consistent naming pattern (e.g., DESKTOP–O82ILGG), suggesting the credential theft and access process was automated.
Further, abnormal login activity was detected, including access attempts from unusual geographic locations, further pointing to coordinated and pre-planned attacks.
Over 60% of the confirmed targets were manufacturing firms, with healthcare, logistics, and energy sectors also impacted.
The campaign’s widespread geographic reach, including Germany, Brazil, South Africa, and India, underscores the attackers’ focus on economic espionage.
Experts believe the manufacturing sector was targeted due to its importance in supply chains and intellectual property, which aligns with typical Chinese state-backed cyber operations.
Detection and Mitigation Strategies:
- Check Point advises verifying the installation of patches from May 27, 2024, for affected products like Quantum Security Gateway and CloudGuard Network Security.
- Recommended actions include resetting passwords for local VPN accounts and LDAP users linked to gateways.
Key Indicators to Look For:
- Unusual VPN logins from unknown devices or IPs, including “impossible travel” (e.g., logins from distant locations within hours).
- Suspicious RDP sessions from VPN IPs targeting domain controllers.
- Execution of binaries from C:\PerfLogs or creation of unauthorized services.
Protection Tools:
- Harmony Endpoint (version 88.50+) and Check Point’s Threat Emulation platform have been updated to block ShadowPad and NailaoLocker malware.
- Monitor for DNS requests to malicious domains (e.g., update.grayshoal[.]com) and IPs (104.168.235[.]66).
Recommended Security Measures:
- Adopt zero-trust architectures and enforce multi-factor authentication (MFA) on VPN access.
- Proactive threat hunting is essential to prevent further damage, as ransomware often follows espionage campaigns.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment