- A newly identified threat activity cluster leveraged the already-patched Check Point vulnerability CVE-2024-24919 (fixed in May 2024) to deploy ShadowPad. Reports indicate that, in a small number of cases, this initial infection also resulted in the deployment of NailaoLocker ransomware. No new vulnerability was exploited—only the previously disclosed and patched one.
- Customers who have not yet implemented the patch should follow the instructions here. This will prevent attackers from getting VPN credentials, which is the first step in the infection chain.
- The campaign targeted various organizations, mainly in Europe, Africa, and the Americas. The most targeted sector was manufacturing.
- Check Point has been contacting impacted customers, where visible.
Recent developments have unveiled a previously unknown threat activity cluster that has leveraged a vulnerability in Check Point’s security framework, identified as CVE-2024-24919. This vulnerability, which was patched in May 2024, has been exploited to deploy ShadowPad malware. Reportedly, in some cases, this initial infection also led to the deployment of NailaoLocker.
This campaign targeted various organizations in Europe, Africa, and the Americas. This campaign was actively observed between June 2024 and January 2025. In this blog, we will explore the details of these attacks and how Check Point is working to ensure robust customer protection against emerging threats.
The Attack Chain
Attackers initially gained access by exploiting Check Point Vulnerability CVE-2024-24919, reported and patched in May 2024, which allowed them to steal user credentials and log into the VPN with a valid account.
Next, they conducted network scanning and moved laterally using RDP or SMB to gain higher privileges, mostly connecting to the Domain Controller. Attackers executed legitimate programs to load malicious DLLs using the DLL Sideloading technique and thus inadvertently installed ShadowPad malware on victims’ machines. ShadowPad malware features advanced obfuscation and anti-debugging techniques and establishes communication with a remote server to create ongoing remote access to victim systems.
Reportedly, in a small number of ShadowPad infections, the attacker also deployed the NailaoLocker ransomware.
Hunting for Suspicious Activity
Searching for the following can help surface malicious activity associated with recent ShadowPad intrusions:
- Unusual logins into the VPN service
- Look for devices outside your inventory (unfamiliar MAC addresses or hostnames).
- In many cases, threat actors used machines with the default endpoint naming scheme DESKTOP- followed by seven letters\numbers (for example, DESKTOP-O82ILGG)
- Look for logins from unusual IP addresses, including those from atypical regions or those that indicate impossible travel.
- Lateral Movement
- Monitor for RDP sessions that connect directly from VPN-associated IP addresses to your domain controllers or other critical assets.
- Check for interactive sessions using high-privilege accounts, most importantly, domain administrator accounts.
- Deployment of ShadowPad malware
- Actively hunt for known indicators associated with the activity, as Appendix A provides. This includes file hashes, names, paths and domains, and IP addresses.
- Search for suspicious execution of binaries from the folder “C:\PerfLogs” using privileged accounts, especially on Domain Controllers.
- Search for suspicious services created manually using exe or any suspicious services running programs in C:\PerfLogs or C:\ProgramData.
Recommendation:
We strongly recommend our customers to take the following actions immediately:
- Verify the installation of this fix on Check Point Network Security gateways.
On May 27, 2024, Check Point released the following security updates:
- Quantum Security Gateway and CloudGuard Network Security: R81.20, R81.10, R81, R80.40
- Quantum Maestro and Quantum Scalable Chassis: R81.20, R81.10, R80.40, R80.30SP, R80.20SP
- Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x
- Hunt for suspicious activity using the above guidelines.
- Update your Harmony Endpoint to version 88.50 and higher to ensure the best protection against the mentioned threats.
- Reset the password for local VPN accounts.
- Reset the password of the Check Point LDAP user connected to the GW.
Check Point remains committed to ensuring the security of its customers and products. Check Point XDR, Harmony Endpoint, and Threat Emulation protect against ShadowPad malware and NailaoLocker. Check Point IPS protects against exploitation of the VPN vulnerability (Check Point VPN Information Disclosure (CVE-2024-24919)).
Indicators of Compromise:
Sideloaded DLLs names:
- logexts.dll
- sensapi.dll
- nView64.dll
- CmLOC.dll
- aaaaLOC.dll
- SentinelAgentCore.dll
ShadowPad File Paths:
- C:\PerfLogs\
- C:\ProgramData\Microsoft\Windows\Caches\
- C:\Program Files\Microsoft\Crypto\DSS\
- C:\ProgramData\Microsoft\Network\Connections\
Hashes:
- a51f6c0144f4f66c40d9d18d98922ffb
- 4b53171013e7b3a3e50b3ee6cc9f8ce7
- 7d74814738bdc045dc7ee03669b5e949
- bc267a3b45d83a0feb4d7162e6ff8113
- daf90e0bc827a0d8da088c1d4c294710
- 0023d66a63eb0e716d0c2dafd5f17f5f
- ebf4fa09a1805297c6e272da3acf91d1
- 467fedf39009b426f4abf4470a014c15
- 41085ff38d803109b4da6ce46bb1c3a1
- 9037a12be2e178193eef56370b63a270
- c3b565e1207c7225607e20a871aad55f
- 4cada74f6530e3c21374f25a3617ad8f
- 027c8a7c9d892efe2301444685352b9d
- e6d269115922e627309e6a06750fd518
- 41d6954c06789182caf3f439977300a4
- 2ae8b0f939460eacc93cecb11484da3d
- 6bb2e0e349d477141dc382b68b64e351
- d715581eb387e336f35c407cf6304599
- 531159190bf2094995fb6616df5e68cc
- 347b80290da3d6bc496b36f7c9a610ef
Suspected ShadowPad C2 IP Addresses:
- 192.142.18.42
- 91.149.241.103
- 208.85.16.252
- 37.120.239.33
- 193.56.255.214
- 139.84.137.63
Suspected ShadowPad C2 Domains
- network.oossafe[.]com
- notes.oossafe[.]com
- czs.superdasqe[.]me
- dscriy.chtq[.]net
- api.emazemedia[.]com
- updata.dsqurey[.]com
- caba.superdasqe[.]me
- home.boopainc[.]com