A threat cluster dubbed “Green Nailao” is targeting European organizations, particularly in the healthcare sector, using Check Point Network Gateway Security vulnerability, CVE-2024-24919. Continue reading this Cybersecurity Threat Advisory to learn how to mitigate your risk.
What is the threat?
CVE-2024-24919, with a CVSS score of 7.5, is a critical vulnerability in Check Point Security Gateways. This flaw allows threat actors to extract password hashes for all local accounts to facilitate unauthorized VPN access using legitimate credentials. Malicious actors are using this vulnerability to conduct reconnaissance, move laterally through the network, and escalate privileges via RDP.
Upon successful exploitation, they are deploying malware strains including ShadowPad or PlugX via sideloading rogue DLLs using legitimate binaries. The threat actor can then exfiltrate data and/or execute NailaoLocker ransomware – demanding Bitcoin payments or requesting contact to a Proton Mail address.
Why is it noteworthy?
This vulnerability enables malicious actors to deploy ransomware for financial gains, underscoring the importance of robust security measures. This includes enforcing strong password policies and implementing multi-factor authentication to prevent unauthorized access and potential ransomware incidents.
What is the exposure or risk?
Organizations, particularly those in critical sectors like healthcare, are at high risks. ShadowPad is known to target government entities, the energy and technology sectors, and educational institutions. A successful attack can lead to:
- Data breaches: The attackers could steal sensitive data from compromised healthcare organizations.
- Disruption of services: Ransomware attacks can disrupt critical healthcare services, potentially impacting patient care.
- Financial loss: Organizations may incur significant costs due to data recovery, system restoration, and ransom payments.
- Reconnaissance: ShadowPad allows attackers to maintain long-term access to compromised systems, increasing the risk of further attacks.
What are the recommendations?
Barracuda recommends the following actions to limit the impact of an exploitation:
- Update affected devices to the latest firmware.
- Enforce strong, unique passwords for all accounts regularly.
- Implement multi-factor authentication (MFA) to add an extra layer of security.
- Deploy advanced endpoint protection solutions, such as Barracuda Managed XDR Endpoint Security, to detect and block PlugX, ShadowPad, and NailaoLocker.
- Isolate critical systems and networks to prevent lateral movement by attackers.
- Develop an incident response plan that includes procedures for ransomware attacks to ensure quick containment and recovery.
- Conduct regular training sessions to educate employees about phishing attacks and safe online practices to reduce the risk of credential compromise.
- Maintain regular backup of critical data and ensure backup systems are isolated from the main network to prevent ransomware from encrypting backups.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
