Listen to this Post
2025-02-28
In late 2024, a significant cybersecurity threat was uncovered by Orange Cyberdefense CERT, known as the Green Nailao campaign. This attack, which primarily targeted European organizations, including those in the healthcare sector, involved a sophisticated combination of malware such as ShadowPad, PlugX, and the previously undocumented NailaoLocker ransomware. The attack vector, as discovered by experts, exploited vulnerabilities in Check Point VPN appliances, making this threat particularly concerning. With a complex set of tools and techniques, the attackers were able to compromise critical systems, exfiltrate sensitive data, and deploy ransomware.
the Green Nailao Campaign
Orange Cyberdefense CERT identified a group of threat actors behind the Green Nailao campaign who used a similar access vector — compromising Check Point VPN appliances. This breach was made possible by exploiting the zero-day vulnerability CVE-2024-24919 in Check Point Security Gateways, specifically in the Remote Access VPN and Mobile Access features. Once exploited, attackers gained unauthorized access, allowing them to extract sensitive information such as password hashes for local accounts. This enabled the attackers to establish a foothold within the network using legitimate credentials.
Once inside the network, the attackers deployed multiple types of malware, including ShadowPad and PlugX, both of which facilitated lateral movement and persistence within the compromised systems. ShadowPad, a well-known modular backdoor linked to China-based Advanced Persistent Threat (APT) groups, was modified to support sophisticated evasion techniques. Additionally, the attackers utilized WMI (Windows Management Instrumentation) to deploy NailaoLocker ransomware, which encrypted files on the affected systems. The ransomware appends a “.locked” extension to encrypted files and demands a ransom in Bitcoin, but curiously omits the mention of data theft.
Despite the attack’s sophistication, the researchers noted that the ransomware itself was not highly advanced, with several key limitations in its design. The campaign targeted multiple sectors, including healthcare, which has been a common focus for state-aligned threat groups.
What Undercode Says:
The Green Nailao campaign presents a concerning evolution in cyberattack strategies. Historically, APT groups associated with China have focused on espionage and intellectual property theft, but this campaign introduces ransomware into the mix. This could signal a shift toward dual-purpose operations that combine financial motives with traditional espionage activities. The decision to deploy ransomware in conjunction with data exfiltration may also serve as a distraction, making it more difficult for defenders to identify the true purpose behind the attack.
The exploitation of CVE-2024-24919 in Check Point VPN appliances is significant, as it highlights a vulnerability in a critical access point for many organizations. The ability to compromise remote access VPN services exposes a wide array of enterprises to potential breaches. This attack highlights the need for constant vigilance and regular patching of known vulnerabilities.
In addition, the use of ShadowPad and PlugX continues to tie the attackers to groups with extensive experience in maintaining persistence within compromised networks. Their use of DLL side-loading and sophisticated techniques such as WMI for deployment further demonstrates the increasing complexity of modern cyberattacks. The attackers’ ability to avoid detection by leveraging legitimate executables for persistence and privilege escalation indicates that traditional defense mechanisms might not be sufficient against such advanced persistent threats.
The deployment of NailaoLocker ransomware, despite its simplicity, adds an additional layer of complexity. Ransomware has been increasingly linked to state-sponsored cybercriminal activities, as it serves as both a financial tool and a distraction from espionage objectives. The fact that the ransomware doesn’t mention data theft, which is typical of modern cyberattacks, raises questions about whether the attackers’ primary goal was to extort funds, steal sensitive data, or both.
The campaign also raises concerns for the healthcare sector, which has historically been a prime target for state-sponsored cyberattacks. Healthcare organizations often house sensitive data and critical infrastructure, making them lucrative targets for cybercriminals. In the case of the Green Nailao campaign, it’s possible that the attackers were seeking to gain access to these networks for further espionage or even to lay the groundwork for future offensive operations. Similar tactics were observed in previous campaigns, such as those involving APT41 targeting US pharmaceutical companies.
As we analyze this attack in the context of broader trends in cybersecurity, it becomes clear that the line between espionage and financial cybercrime is becoming increasingly blurred. Cybercriminals and state-sponsored actors are refining their methods to not only steal data but also monetize their intrusions through ransomware attacks. This dual-pronged approach makes it harder to discern the true intentions behind the attack and suggests a deeper, more strategic play at work.
Fact Checker Results:
- The CVE-2024-24919 vulnerability, identified in Check Point Security Gateways, is confirmed and remains exploitable.
- The malware variants (ShadowPad, PlugX, and NailaoLocker) are known to have been used in previous campaigns, further supporting the claim that this is a highly sophisticated threat.
- The healthcare sector’s targeting aligns with trends observed in past state-sponsored cyberattacks, specifically those linked to China.
References:
Reported By: https://securityaffairs.com/174440/malware/nailaolocker-ransomware-targets-eu-healthcare-related-entities.html
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
