Chinese Cybercriminals Exploit VPN Vulnerability to Breach Global Manufacturing Firms
According to Dark Reading, a newly discovered cyber-espionage campaign has exposed critical vulnerabilities in the global manufacturing sector, with Chinese cybercriminals infiltrating sensitive organizations through a flaw in virtual private networks (VPNs). Over several months, attackers—suspected with low confidence to be linked to APT41 (also known as Winnti)—leveraged a path traversal vulnerability in Check Point’s security gateways, allowing them to gain initial access to dozens of operational technology (OT) organizations worldwide.
A Persistent and Targeted Cyber-Espionage Campaign
Check Point researchers tracked compromises exclusively among their own customers but suspect that the attack campaign extends far beyond those identified. The attack pattern unfolded in waves, beginning shortly after the disclosure and patching of CVE-2024-24919 in May 2024, peaking in November, and continuing until early 2025. CVE-2024-24919, a high-severity vulnerability with a CVSS score of 8.6, affected Check Point security gateways that were exposed to the internet and configured for remote access.
The vulnerability stemmed from an oversight in file path validation within the security appliances, allowing unauthenticated attackers to craft malicious requests that granted unauthorized access to sensitive files. By extracting password hashes from these files, attackers could escalate privileges to superuser levels, gaining full control over targeted devices. This foothold enabled lateral movement within affected networks, allowing the cybercriminals to compromise domain controllers and deploy the modular ShadowPad backdoor for persistent access.
While the primary intent of the campaign appeared to be the theft of valuable intellectual property (IP), Check Point researchers have not observed any disruptive actions taken by the attackers. This contrasts with a separate attack campaign disclosed on February 18 by Orange Cyberdefense, where a group tracked as “Green Nailao” exploited the same vulnerability to infect European organizations with ShadowPad, PlugX, and the newly discovered “NailoLocker” malware.
Organizations Affected Worldwide
The espionage campaign had a global reach, affecting organizations across the United States, Latin America, Europe, the Middle East, and Africa. Notably, 20% of all identified victims were based in Mexico. However, the targeting was not purely regional but industry-focused, with a significant portion of the affected entities being manufacturers in critical supply chains for the aviation and aerospace sectors. In total, approximately half of all victims were manufacturing companies, highlighting the attackers’ interest in industrial intellectual property.
While major corporations were targeted, a significant number of victims were small operational technology firms. Many of these firms operate with minimal cybersecurity defenses, often relying on a single IT professional handling multiple responsibilities, including security. The reliance on under-resourced IT teams makes smaller OT firms particularly vulnerable to sophisticated threat actors. In some cases, security researchers attempting to notify affected organizations had to contact business owners directly due to the lack of dedicated cybersecurity teams.
Secure Your Supply Chain to Prevent These Attacks
The breach of these manufacturing organizations raises concerns about the security of global supply chains and reminds us that even minor security oversights can have extreme consequences, particularly when targeted by state-sponsored or highly capable cybercriminal groups. With attackers focusing on small but strategically important firms, companies of all sizes must prioritize cybersecurity measures, including timely patching, network segmentation, access controls, and implementing various third-party vendor risk management strategies to mitigate the risk of similar attacks.
