Companies critical to aerospace supply chains failed to patch a known CVE, setting the stage for foreign espionage. Chinese cybercriminals infiltrated sensitive manufacturing companies around the world by exploiting a Virtual Private Network (VPN) vulnerability.
APT41 Targets OT Organizations
In an exclusive interview with Dark Reading at CPX 2025, Check Point researchers shared new information about a months-long cyber campaign targeting priceless intellectual property (“IP”). In a nutshell, attackers exploiting a months-old path traversal vulnerability in Check Point’s security gateways, associated with a low level of trust as APT41 (aka Winnti), were able to gain initial access to dozens of Operational Technology (OT) organizations across the globe. Check Point explained that it only tracks breaches of its own customers. Therefore, the researchers point out that the same operation could have a much wider impact.
Chinese Attackers Exploit CVE on Gateway
The activity has come in waves: Immediately after the vulnerability was announced and patched in May 2024, cyberattacks began, peaking in November and continuing until last month. All victims were affected by CVE-2024-24919 vulnerability in Check Point security gateways configured to enable remote access.
This vulnerability was the result of a small omission in the process of verifying the file paths of devices. With specially crafted requests, even unauthenticated attackers were able to access directories and files they shouldn’t have. These files can contain encrypted password hashes, and by decrypting these hashes, attackers can gain superuser privileges, giving them full control over a device. CVE-2024-24919 received a “high” risk score of 8.6 out of 10 on the Common Vulnerability Scoring System (CVSS). By exploiting this vulnerability, attackers were able to perform lateral movement on target networks, increase authorization levels and access more systems, including domain controllers. Finally, they created remote access points by installing the modular ShadowPad backdoor. Check Point researchers believe the attackers’ ultimate goal is to steal valuable intellectual property.
Researchers say they have not found any evidence that the attackers harmed their victims. They therefore consider these attacks to be a separate category from the cyber operation announced by Orange Cyberdefense on February 18. Orange Cyberdefense reported that the “Green Nailao” group it was tracking was using CVE-2024-24919 to infect organizations in Europe with ShadowPad, PlugX and the previously undocumented NailoLocker malware.
Global OT Organizations Targeted
Check Point identified two to three dozen victim organizations operating in large geographic areas. Most of these are based in the US and Latin America – about 20% are based in Mexico – but organizations in Europe, the Middle East and Africa have also been affected. While the attackers were not limited to a single region, they largely focused on specific, high-value OT sectors. For example, a significant number of targets were manufacturers that provide critical supply chains for aerospace companies. About half of the identified victims belonged to the manufacturing sector.
Fewer victims were in little-known sectors or geographies-for example, utilities in small countries or financial institutions in Africa. Lotem Finkelsteen, Check Point’s director of threat intelligence, said: “We think attackers are working with surgical precision, planning everything flawlessly, and ‘secondary targets’ that are not part of their strategy do pop up from time to time. If access is gained, why not store it for future use?”
Eli Smadja, director of the Check Point research group, said, “You can’t know for sure what an attacker is thinking. A seemingly insignificant business could be a gateway to another company. For example, they can use financial institutions to reach their main target,” said Eli Smadja, director of the research group Check Point.
Small OT Organizations Under Threat
The size of the affected companies is as striking as the sectors targeted by the attackers. “We often think of manufacturers as being large-scale, but many are extremely small; we’ve seen a similar trend in the operations of Chinese threat actors over the last few years – most of the victims were small businesses,” Finkelsteen said. Many manufacturers run only a single factory or operate like a small workshop, but that doesn’t stop them from being as valuable as larger competitors.
Small OT organizations, just like other businesses, are highly vulnerable to cyberattacks. Sergey Shykevich, group manager of threat intelligence at Check Point, says: “Usually there is not a full-time cybersecurity team. At most, there is an IT person who manages both security and all other aspects of IT,” says Sergey Shykevich, group manager of threat intelligence at Check Point. Sometimes investigators even find that the only person they can reach in the company when a breach occurs is the business owner directly.
As a result, Finkelsteen summarizes, “Such businesses often don’t apply patches quickly or know what security measures to take to protect devices such as gateways and routers.” Small businesses need to make sure that the products they buy are regularly supported so that they are not vulnerable to these powerful groups targeting them. He concludes by emphasizing that it is not fair competition for highly advanced threat actors to target small businesses with advanced tools.
https://www.darkreading.com/ics-ot-security/chinese-apt-vpn-bug-worldwide-ot-orgs
