Full Report
A previously unknown threat activity cluster targeted European organizations, particularly those in the healthcare sector, to deploy PlugX and its successor, ShadowPad, with the intrusions ultimately leading to deployment of a ransomware called NailaoLocker in some cases. The campaign, codenamed Green Nailao by Orange Cyberdefense CERT, involved the exploitation of a new-patched security flaw
Analysis Summary
# Incident Report: Green Nailao Campaign - Check Point Vulnerability Exploitation Leading to NailaoLocker Ransomware
## Executive Summary
Between June and October 2024, a threat activity cluster, dubbed Green Nailao, targeted European organizations, primarily in the healthcare sector, by exploiting a zero-day vulnerability in Check Point network gateway security products (CVE-2024-24919). The initial compromise led to the deployment of sophisticated implants like PlugX and ShadowPad, followed by reconnaissance, lateral movement via RDP, and ultimately, the deployment of the relatively unsophisticated NailaoLocker ransomware in some instances. The operators are suspected to be Chinese-aligned, possibly blending espionage goals with opportunistic financial gain.
## Incident Details
- Discovery Date: June - October 2024 (Activity observed range)
- Incident Date: June - October 2024
- Affected Organization: European organizations, particularly in the healthcare sector
- Sector: Healthcare (Primary focus)
- Geography: Europe
## Timeline of Events
### Initial Access
- **Date/Time:** Starting June 2024
- **Vector:** Exploitation of unpatched Check Point network gateway security products (CVE-2024-24919, CVSS 7.5).
- **Details:** Exploitation provided access, allowing retrieval of user credentials and VPN connectivity using legitimate accounts.
### Lateral Movement
- **Date/Time:** Post-initial access
- **Details:** Attackers conducted network reconnaissance. Lateral movement was achieved using Remote Desktop Protocol (RDP) to gain elevated privileges.
### Data Exfiltration/Impact
- **Date/Time:** Post-lateral movement
- **Details:** Evidence suggests attempt at data exfiltration via file system access and creation of ZIP archives. The final impact involved the optional deployment of NailaoLocker ransomware, encrypting files with a ".locked" extension.
### Detection & Response
- **How it was discovered:** Detected and analyzed by Orange Cyberdefense CERT (codenamed Green Nailao).
- **Response actions taken:** Not explicitly detailed in the article, but analysis suggests the compromise chain was mapped out, identifying the tooling and techniques.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2024-24919 in Check Point gateways.
- **Persistence:** Established via deployment of ShadowPad/PlugX implants, utilizing sophisticated obfuscation and anti-debug measures to maintain remote access.
- **Privilege Escalation:** Achieved through lateral movement using RDP.
- **Defense Evasion:** Use of recognized, privately sold malware families (ShadowPad/PlugX) often associated with China-nexus intrusions, and sophisticated obfuscation within the implants.
- **Credential Access:** Gained credentials following initial access via the Check Point vulnerability.
- **Discovery:** Network reconnaissance was performed post-access.
- **Lateral Movement:** Achieved primarily using RDP.
- **Collection:** Data collection indicated by accessing the file system and creating ZIP archives for exfiltration.
- **Exfiltration:** Attempted data exfiltration via archived files.
- **Impact:** Execution of NailaoLocker ransomware (C++ based) via DLL sideloading chain (usysdiag.exe -> sensapi.dll -> usysdiag.exe.dat).
## Impact Assessment
- **Financial:** Ransom demands required Bitcoin payments; costs associated with remediation and investigation unknown.
- **Data Breach:** Potential exfiltration of sensitive data suggested by ZIP archive creation; type/volume unspecified.
- **Operational:** Operational disruption occurred in victims where NailaoLocker was successfully deployed, leading to file encryption.
- **Reputational:** Potential reputational damage for targeted healthcare organizations.
## Indicators of Compromise
- **Network indicators:** Communication with a remote server (details unspecified).
- **File indicators:**
- Rogue DLL: `logexts.dll` (sideloaded via `logger.exe`)
- Legitimate signed binary used as loader: `usysdiag.exe`
- Ransomware loader: `sensapi.dll` (sideloaded via `usysdiag.exe`)
- Ransomware payload: `usysdiag.exe.dat`
- **Behavioral indicators:**
- DLL search-order hijacking for malware deployment.
- Sideloading techniques using legitimate executables (e.g., McAfee's `mcoemcpy.exe`, `usysdiag.exe`).
- Use of WMI for file transmission during the final payload stage.
## Response Actions
- **Containment:** Implied necessity to patch CVE-2024-24919 immediately across all affected Check Point environments.
- **Eradication:** Removal of PlugX/ShadowPad implants and NailaoLocker instances from compromised systems.
- **Recovery:** Restoration of encrypted files (Note: Researchers indicated NailaoLocker may not guarantee full encryption, making recovery inconsistent).
## Lessons Learned
- Vulnerability in perimeter devices (Check Point) provides a high-impact initial entry point.
- Attackers are leveraging sophisticated, known espionage tooling (ShadowPad/PlugX) in conjunction with opportunistic ransomware (NailaoLocker).
- Sophisticated initial-stage malware (ShadowPad) contrasted with unsophisticated final-stage malware (NailaoLocker) suggests a multi-purpose campaign or opportunistic monetization.
## Recommendations
- Immediately patch all Check Point network gateway products for CVE-2024-24919.
- Review VPN and RDP access logs for any newly established connections utilizing legitimate credentials post-patching window.
- Enhance endpoint detection capabilities to monitor for sophisticated tradecraft such as DLL search-order hijacking and sideloading, especially involving legitimate signed binaries.
- Implement network segmentation to limit the impact of lateral movement via RDP once initial access is gained.