Ethical Hacking News
A recent cyber attack campaign, codenamed "Green Nailao," has been identified as a sophisticated attack vector utilized by Chinese-linked threat actors to exploit vulnerabilities in Check Point network gateway security products, ultimately leading to the deployment of ransomware called NailaoLocker. This article will delve into the details of this campaign, exploring its tactics, techniques, and procedures (TTPs), the involved parties, and the potential implications for organizations vulnerable to such attacks.
The "Green Nailao" campaign exploited a vulnerability in Check Point network gateway security products to deploy malware and ransomware.The attacks targeted European organizations, particularly those in the healthcare sector, between June and October 2024.The attackers used DLL search-order hijacking to deploy two implants associated with China-nexus targeted intrusions: PlugX and ShadowPad.The exploitation of a previously patched vulnerability highlights the need for continuous monitoring and vigilance in security systems.The campaign showcases the challenges faced by cybersecurity teams tasked with detecting and responding to complex threats.The involvement of Chinese threat actors suggests that state-sponsored actors are increasingly involved in ransomware campaigns, with significant implications for global cyber security policy.
The cybersecurity landscape has seen its fair share of sophisticated cyber attack campaigns in recent years, with attackers continually evolving their tactics, techniques, and procedures (TTPs) to bypass even the most robust security measures. One such campaign that garnered significant attention from cybersecurity experts is the "Green Nailao" campaign, which exploited a vulnerability in Check Point network gateway security products to deploy malware and subsequently ransomware.
According to Orange Cyberdefense CERT, this campaign was identified as part of an ongoing threat activity cluster targeting European organizations, particularly those in the healthcare sector. The attacks were observed between June and October 2024, indicating a prolonged period of activity during which the attackers honed their skills and refined their approach.
At the heart of this campaign is the exploitation of CVE-2024-24919, a security flaw in Check Point network gateway security products that was patched by the vendor. However, due to the complexity and intricacy of modern security systems, it's not uncommon for vulnerabilities to remain unpatched or remain available for exploitation even after a patch has been applied.
In this case, the attackers leveraged DLL search-order hijacking to deploy two implants associated with China-nexus targeted intrusions: PlugX and ShadowPad. These implants are often linked to previous instances of similar attacks attributed to Chinese threat actors.
DLL search-order hijacking is a sophisticated technique where an attacker manipulates the order in which executable files are loaded into memory, thereby allowing them to inject malicious code into legitimate applications or services. This method allows attackers to maintain persistence and evade detection by security software.
The initial access afforded by exploiting vulnerable Check Point instances enabled the threat actors to retrieve user credentials and connect to VPNs using legitimate accounts. This facilitated further network reconnaissance and lateral movement via remote desktop protocol (RDP), ultimately yielding elevated privileges that allowed the attackers to execute malicious code with increased effectiveness.
In a surprising twist, researchers discovered that the attackers carried out an additional stage of infection by sideloading a rogue DLL ("logexts.dll") through a legitimate executable ("logger.exe"). This DLL served as a loader for a new version of the ShadowPad malware, marking a significant departure from previous iterations that utilized similar tradecraft to deliver PlugX.
Previous research on the delivery mechanism employed by PlugX revealed its use of McAfee executables to sideload malicious code. In this instance, however, the attackers opted for a custom executable ("usysdiag.exe") developed by Beijing Huorong Network Technology Co., Ltd. This executable was used as a vector for sideloading the ShadowPad malware and NailaoLocker ransomware.
It is worth noting that the use of "usysdiag.exe" to load malicious payloads has been previously observed in attacks attributed to Cluster Alpha, a China-linked intrusion set tracked by Sophos under the name STAC1248.
Researchers Marine Pichon and Alexis Bonnefoi noted that the ShadowPad variant identified in this campaign features sophisticated obfuscation and anti-debug measures. Moreover, it establishes communication with a remote server to create persistent remote access to victim systems. This level of sophistication contrasts sharply with NailaoLocker, which researchers described as "relatively unsophisticated and poorly designed."
NailaoLocker is a C++-based ransomware that encrypts files, appends them with a ".locked" extension, and drops a ransom note demanding bitcoin payments or communication at a Proton Mail address. Despite its relatively simple design, the use of Windows Management Instrumentation (WMI) to transmit three critical files facilitated by legitimate executables underscores the attackers' efforts to maintain plausible deniability.
The campaign's potential implications for organizations vulnerable to such attacks are multifaceted. Firstly, the exploitation of a previously patched vulnerability highlights the need for continuous monitoring and vigilance in security systems.
Secondly, the deployment of sophisticated malware like ShadowPad underscores the challenges faced by cybersecurity teams tasked with detecting and responding to complex threats.
Lastly, the involvement of Chinese threat actors suggests that state-sponsored actors are increasingly involved in ransomware campaigns. This trend has significant implications for global cyber security policy and cooperation among nations.
In conclusion, the "Green Nailao" campaign marks a notable example of sophisticated cyber attack tactics employed by Chinese-linked threat actors. The exploitation of a previously patched vulnerability and the deployment of malware and ransomware highlight the ongoing challenges faced by cybersecurity professionals in detecting and responding to such threats. As organizations continue to grapple with the evolving landscape of cyber attacks, it is essential that they adopt a proactive approach to security, prioritizing continuous monitoring, threat intelligence, and incident response capabilities.
Related Information:
https://thehackernews.com/2025/02/chinese-linked-attackers-exploit-check.html
Published: Thu Feb 20 12:23:26 2025 by llama3.2 3B Q4_K_M
