A cyber attack leveraging Check Point’s patched CVE-2024-24919 vulnerability has targeted organizations across Europe, Africa, and the Americas. Security analysts have observed direct linkages to Chinese state-sponsored threat actors.
The intrusion chain, which deploys the ShadowPad backdoor and NailaoLocker ransomware, exploits unpatched VPN gateways to infiltrate critical infrastructure, primarily in manufacturing sectors.
The CVE-2024-24919 vulnerability (CVSS 8.6) allowed unauthenticated attackers to read arbitrary files on Check Point Security Gateways configured with IPSec VPN or Mobile Access blades.
.png
)
Check Point’s telemetry revealed exploitation attempts beginning in April 2024, with threat actors using stolen credentials to authenticate via VPNs and masquerading as legitimate users.
Compromised endpoints often bore default hostnames like DESKTOP-O82ILGG, matching patterns observed in prior Chinese operations.
Lateral Movement and ShadowPad Deployment
After establishing VPN access, attackers conducted network reconnaissance using RDP and SMB protocols, targeting domain controllers for privilege escalation.
The ShadowPad backdoor was deployed via DLL sideloading, abusing legitimate executables like AppLaunch.exe to load malicious libraries (e.g., mscoree.dll).
ShadowPad’s modular architecture, decrypted in memory using XOR-based algorithms, supported multiple command-and-control (C2) protocols, including HTTP(S) and UDP, with encrypted payloads.
This backdoor created persistence through Windows services and registry keys while exfiltrating system metadata like hostnames and private IPs.
In a subset of incidents, attackers deployed NailaoLocker ransomware via ShadowPad’s execution framework. The ransomware employed AES-256-CTR encryption with a .locked extension and dropped ransom notes in %ALLUSERPROFILE%.
Its core design included logging failed encryption attempts and a hardcoded mutex (Global\lockv7) to prevent re-infection.
Notably, NailaoLocker’s loader (NailaoLoader.dll) abused legitimate binaries like usysdiag.exe to sideload payloads, a tactic overlapping with Southeast Asian cybercrime groups.
Apply Check Point Security following updates:
- Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
- Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
- Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x
- Rotate LDAP and local account passwords; revoke SSH keys.
- Deploy CheckPoint Harmony Endpoint 88.50+ to detect ShadowPad’s process injection (svchost.exe → rundll32.exe).
- Flag RDP/SMB connections from VPN IPs and anomalous logins (e.g., geographic impossibilities)
This campaign underscores Chinese threat actors’ evolving hybrid tactics, blending cyber espionage with ransomware for operational flexibility.
The use of CVE-2024-24919 months after patching highlights systemic vulnerabilities in legacy VPN infrastructures, particularly in manufacturing sectors with delayed update cycles.
Check Point’s incident response team continues to collaborate with CERTs to disrupt C2 infrastructure, though the persistence of ShadowPad’s plugins suggests long-term risks require continuous vigilance.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
