It has beed detected that a Chinese threat group exploited a previously patched Check Point VPN vulnerability (CVE-2024-24919) to infiltrate organizations across Europe, Africa, and the Americas. The attacks, which occurred between June 2024 and January 2025, primarily targeted the manufacturing sector, but also affected healthcare, logistics, and energy entities. This breach underscores the critical importance of timely patching and robust security measures.
Zero-Day Exploitation and Impact
The attackers leveraged a zero-day vulnerability in Check Point VPNs, a flaw that had already been addressed with a patch released in May 2024. Despite the availability of the patch, many organizations remained vulnerable, allowing the hackers to steal VPN credentials and gain unauthorized access to their networks. This highlights a common challenge in cybersecurity: the gap between patch release and patch implementation.
Once inside, the attackers deployed sophisticated malware, including ShadowPad, and in some instances, NailaoLocker ransomware. They conducted network reconnaissance, moved laterally toward domain controllers, and employed techniques like DLL sideloading to evade detection. The impact was widespread, with intrusions reported in Germany, Brazil, South Africa, and India, demonstrating the global reach of this campaign.
Targeted Sectors and Techniques
The primary target of these attacks was the manufacturing sector. However, the hackers also set their sights on healthcare, logistics, and energy organizations, indicating a broad range of strategic interests. The techniques used were advanced, including the deployment of custom malware and the use of DLL sideloading to bypass security measures. The attackers’ ability to remain undetected for extended periods is a testament to their skill and the sophistication of their methods.
Check Point’s Response and Recommendations
Check Point has confirmed the exploitation of the zero-day flaw and has urged customers to install the patches released on May 27, 2024. In addition to patching, Check Point recommends that organizations reset passwords for local VPN accounts and monitor for unusual VPN logins, suspicious RDP sessions, and the execution of binaries from unauthorized locations.
Key Takeaways and Recommendations
This incident serves as a crucial reminder of the importance of proactive cybersecurity measures. Here are some key recommendations for organizations to protect themselves from similar threats:
- Timely Patching: Implement a robust patch management system to ensure that security updates are applied promptly. The vulnerability exploited by the Chinese hackers had been patched, but many organizations failed to apply the update in time.
- Multi-Factor Authentication (MFA): Enforce MFA for all VPN and remote access connections. MFA adds an extra layer of security, making it more difficult for attackers to gain unauthorized access even if they have stolen credentials.
- Zero-Trust Architecture: Adopt a zero-trust approach to network security. In a zero-trust model, no user or device is trusted by default, and access is granted based on strict verification and authorization.
- Network Monitoring: Implement continuous network monitoring to detect and respond to suspicious activity. Look for unusual VPN logins, suspicious RDP sessions, and the execution of binaries from unauthorized locations.
- Incident Response Plan: Develop and regularly test an incident response plan. A well-defined plan will enable your organization to respond quickly and effectively in the event of a breach.
- Employee Training: Conduct regular employee training on cybersecurity awareness. Employees should be educated about phishing, social engineering, and other common attack vectors.
- Password Management: Enforce strong password policies and encourage users to use unique, complex passwords for all accounts.
By taking these steps, organizations can significantly reduce their risk of falling victim to similar cyberattacks. The Chinese hackers’ exploitation of the Check Point VPN zero-day is a stark reminder that cybersecurity is an ongoing battle, and vigilance is essential.
About CVE-2024-24919
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
For fix details: https://support.checkpoint.com/results/sk/sk182337
Post Comment