Meet NailaoLocker: A Ransomware Distributed in Europe by Shadowpad and Plugx Backdoors
Summary:
An unidentified threat actor has been observed targeting European organizations, notably in the healthcare sector, with an undocumented C++ ransomware strain, dubbed NailaoLocker. The campaign, tracked as Green Nailao, was uncovered by Orange Cyberdefense CERT and initiated between June and October last year. The initial access vector typically involves the compromise of a Check Point VPN appliance, which researchers attribute to the exploitation of CVE-2024-24919, a critical zero-day vulnerability affecting Check Point Security Gateways with Remote Access VPN or Mobile Access features enabled. Although CVE-2024-24919 was patched in May 2024, it has been actively exploited in the wild since early April 2024. This vulnerability allows attackers to read specific information on the gateways, most notably enabling them to enumerate and extract password hashes for all local accounts. These stolen credentials can then be leveraged to gain access to the VPN, serving as an initial foothold into organizational networks.
Security Officer Comments:
While NailaoLocker ransomware has been developed in the attacks observed thus far, the primary objective of the latest campaign appears to be cyberespionage rather than financial gain. According to Orange, NailaoLocker is relatively unsophisticated and poorly designed, with no clear intention to ensure full encryption. In contrast to other ransomware variants, NailaoLocker does not:
Suggested Corrections:
Organizations should take immediate action to address CVE-2024-24919 by ensuring that all affected Check Point VPN appliances are patched with the May 2024 update. Additionally, robust network segmentation and least-privilege access policies should be implemented to limit lateral movement and reduce impact in the event of a potential attack. Organizations should also enforce multi-factor authentication and implement endpoint security to detect and block the execution of backdoor implants like PlugX and ShadowPad.
Link(s):
https://www.orangecyberdefense.com/...ed-in-europe-by-shadowpad-and-plugx-backdoors
An unidentified threat actor has been observed targeting European organizations, notably in the healthcare sector, with an undocumented C++ ransomware strain, dubbed NailaoLocker. The campaign, tracked as Green Nailao, was uncovered by Orange Cyberdefense CERT and initiated between June and October last year. The initial access vector typically involves the compromise of a Check Point VPN appliance, which researchers attribute to the exploitation of CVE-2024-24919, a critical zero-day vulnerability affecting Check Point Security Gateways with Remote Access VPN or Mobile Access features enabled. Although CVE-2024-24919 was patched in May 2024, it has been actively exploited in the wild since early April 2024. This vulnerability allows attackers to read specific information on the gateways, most notably enabling them to enumerate and extract password hashes for all local accounts. These stolen credentials can then be leveraged to gain access to the VPN, serving as an initial foothold into organizational networks.
Security Officer Comments:
While NailaoLocker ransomware has been developed in the attacks observed thus far, the primary objective of the latest campaign appears to be cyberespionage rather than financial gain. According to Orange, NailaoLocker is relatively unsophisticated and poorly designed, with no clear intention to ensure full encryption. In contrast to other ransomware variants, NailaoLocker does not:
- Scan network shares
- Terminate services or processes that might obstruct the encryption of critical files
- Monitor for debugging attempts
Suggested Corrections:
Organizations should take immediate action to address CVE-2024-24919 by ensuring that all affected Check Point VPN appliances are patched with the May 2024 update. Additionally, robust network segmentation and least-privilege access policies should be implemented to limit lateral movement and reduce impact in the event of a potential attack. Organizations should also enforce multi-factor authentication and implement endpoint security to detect and block the execution of backdoor implants like PlugX and ShadowPad.
Link(s):
https://www.orangecyberdefense.com/...ed-in-europe-by-shadowpad-and-plugx-backdoors