Chinese Hackers Exploit Check Point VPN Zero-Day to Target Organizations Globally

A sophisticated cyberespionage campaign linked to Chinese state-sponsored actors has exploited a previously patched Check Point VPN vulnerability (CVE-2024-24919) to infiltrate organizations across Europe, Africa, and the Americas, according to cybersecurity researchers.

The attacks, observed between June 2024 and January 2025, primarily targeted the manufacturing sector, deploying ShadowPad malware and, in limited cases, the NailaoLocker ransomware.

Check Point confirmed the exploitation of the zero-day flaw—patched in May 2024—which allowed attackers to steal VPN credentials and breach networks.

Attack Methodology and Malware Deployment

The threat actors exploited CVE-2024-24919, a vulnerability in Check Point’s Network Security gateways, to harvest valid VPN credentials.

After gaining initial access, they conducted network reconnaissance, leveraging Remote Desktop Protocol (RDP) and Server Message Block (SMB) to move laterally toward domain controllers.

To evade detection, attackers employed DLL sideloading—a technique that abuses legitimate executables like FXSSVC.exe or LogonUI.exe to load malicious DLLs from directories such as C:\PerfLogs.

This enabled the stealthy installation of ShadowPad, a modular malware known for its advanced obfuscation and command-and-control (C2) capabilities.

In a subset of cases, the attackers deployed NailaoLocker ransomware, though researchers emphasize this appeared opportunistic rather than a core objective.

Check Point’s investigations revealed that compromised endpoints often followed a naming convention (e.g., DESKTOP-O82ILGG), suggesting automated credential exploitation.

Unusual login patterns—including IP addresses linked to anomalous geographic regions—further indicated coordinated attacks.

Global Impact and Sector Focus

Manufacturing firms constituted over 60% of confirmed targets, though healthcare, logistics, and energy entities were also affected.

The campaign’s geographic spread highlights the attackers’ broad economic espionage objectives, with intrusions reported in Germany, Brazil, South Africa, and India.

Analysts attribute the focus on manufacturing to the sector’s role in supply chains and intellectual property development, aligning with patterns of Chinese state-backed cyber operations.

Detection and Mitigation Strategies

Check Point has urged customers to verify installation of patches released on May 27, 2024, for affected products, including Quantum Security Gateway and CloudGuard Network Security.

The company also recommended password resets for local VPN accounts and LDAP users tied to gateways.

Organizations are advised to hunt for indicators such as:

• Unusual VPN logins from unrecognized devices or IPs associated with “impossible travel” (e.g., consecutive logins from distant locations within hours).
• Suspicious RDP sessions originating from VPN IPs and targeting domain controllers.
• Execution of binaries from C:\PerfLogs or unauthorized service creations.

Endpoint protection solutions like Harmony Endpoint (version 88.50+) and Check Point’s Threat Emulation platform have been updated to block ShadowPad and NailaoLocker payloads.

Network monitoring for DNS requests to malicious domains (e.g., update.grayshoal[.]com) and IPs (104.168.235[.]66) is also critical.

As geopolitical tensions fuel cyber warfare, enterprises are urged to adopt zero-trust architectures and enforce multi-factor authentication (MFA) on VPN access.

With ransomware actors increasingly piggybacking on espionage operations, proactive threat hunting remains indispensable to mitigating collateral damage.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free