Patched Check Point Vulnerability CVE-2024-24919 Exploited to Deploy ShadowPad Malware and Ransomware

nThe urgency to patch a Check Point vulnerability fixed in May 2024 for CVE-2024-24919 is emphasized by Check Point Research, as exploitation has led to the deployment of ShadowPad malware and, in some observed instances, ransomware deployment with NailaoLocker. This threat activity, covered by Check Point Research, primarily affected the manufacturing sector across Europe, Africa, and the Americas. However, the threat combination of CVE-2024-24919 and NailaoLocker ransomware was also warned targeting the European healthcare sector by Orange Cyberdefense CERT. The patched vulnerability is leveraged to steal VPN credentials, allowing attackers to gain initial access to targeted networks and deploy malicious payloads. Despite the availability of a patch, organizations that have yet to apply the update remain at risk. Particuarly as this campaign remains active since it was observed by Check Point Research "between June 2024 and January 2025."

The attack chain begins with the use of stolen credentials obtained through the exploitation of CVE-2024-24919. Attackers used these credentials to authenticate into corporate VPNs, enabling access to internal networks. Following initial access, lateral movement was observed, with attackers using Remote Desktop Protocol (RDP) and Server Message Block (SMB) to navigate between systems and escalate privileges. Threat actors then deployed DLL files to enable DLL sideloading, a technique used to execute ShadowPad malware while evading detection and establishing a persistent foothold. In select cases, the intrusion escalated to the deployment of NailaoLocker ransomware, causing further disruptions with potential financial gain.

Check Point Research advises organizations to take immediate action to mitigate risks associated with this campaign. Recommendations include verifying the installation of security updates for affected Check Point security gateways, resetting VPN account passwords, and monitoring for unusual login activity. Monitoring of threat activity is encouraged, focusing on suspicious RDP sessions originating from VPN-associated IP addresses, unauthorized interactive sessions using high-privilege accounts, and the execution of binaries from unconventional directories such as "C:\PerfLogs."