A recent cyber-attack linked to Chinese threat actors has exploited a vulnerability in Check Point network security products, targeting European organizations, particularly in the healthcare sector. This campaign, known as Green Nailao, has led to the deployment of sophisticated malware and ransomware, raising concerns about cybersecurity in critical sectors.
Key Takeaways
Attack Origin: Linked to Chinese threat actors.
Targeted Sector: Primarily healthcare organizations in Europe.
Exploited Vulnerability: CVE-2024-24919 in Check Point products.
Malware Used: ShadowPad and NailaoLocker ransomware.
Attack Duration: Observed between June and October 2024.
Overview of the Attack
The cyber attack, codenamed Green Nailao by Orange Cyberdefense CERT, exploited a newly patched security flaw in Check Point network gateway products, identified as CVE-2024-24919, which has a CVSS score of 7.5. The attackers utilized DLL search-order hijacking techniques to deploy the malware, leading to significant breaches in network security.
Attack Methodology
Initial Access: The attackers gained access by exploiting the vulnerability in Check Point instances, allowing them to retrieve user credentials and connect to the VPN using legitimate accounts.
Network Reconnaissance: Following initial access, the attackers conducted reconnaissance and lateral movement through Remote Desktop Protocol (RDP) to obtain elevated privileges.
Malware Deployment: They executed a legitimate binary, "logger.exe," to sideload a rogue DLL, "logexts.dll," which served as a loader for the ShadowPad malware.
Malware Characteristics
ShadowPad: A sophisticated malware variant used exclusively by Chinese espionage actors since at least 2015. The version identified in this attack features advanced obfuscation and anti-debugging measures, establishing persistent remote access to victim systems.
NailaoLocker: A C++-based ransomware that encrypts files and appends a ".locked" extension. It drops a ransom note demanding payment in Bitcoin or contact via a Proton Mail address. Researchers noted that NailaoLocker is relatively unsophisticated, lacking features to ensure comprehensive encryption.
Implications for Cybersecurity
The attack highlights the vulnerabilities present in critical sectors like healthcare, where the exploitation of security flaws can lead to severe consequences. The use of DLL side-loading techniques and the deployment of both espionage and ransomware tools indicate a dual motive: data theft and financial gain.
As cyber threats continue to evolve, organizations must prioritize cybersecurity measures to protect against sophisticated attacks. The Green Nailao campaign serves as a reminder of the persistent risks posed by state-aligned threat actors and the importance of timely patching and robust security protocols in safeguarding sensitive information.
Cybersecurity is more crucial than ever. At BetterWorld Technology, we provide advanced solutions to tackle emerging threats while fostering innovation. Secure your business with confidence—contact us today for a consultation.
Sources
China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware, The Hacker News.