State-sponsored enemies are increasingly targeting critical infrastructure as well as technology companies. A Palo Alto Networks Unit 42 security research team discovered an active cyberespionage campaign that has already targeted nine businesses from vital worldwide sectors such as education, military, energy, health care, and technology. The study paper, which included inputs from the National Security Agency (NSA), indicated that the effort is aimed at collecting key information from US defense firms.
Exploiting a Zoho Vulnerability
The researchers discovered that fraudsters gained access to globally vital network systems by exploiting a newly patched vulnerability CVE-2021-40539 in Zoho’s ManageEngine product ADSelfService Plus, an access and identity management application. The weakness enabled attackers to circumvent REST API authentication, resulting in remote code execution. After exploiting the vulnerabilities, the threat actors installed two malware backdoors on the targeted systems: Godzilla web shell and NGLite payload. The Godzilla web shell can decrypt sensitive data and analyze inbound HTTP POST requests.
After gaining total access to the domain controllers, the attackers used KdcSponge, a unique credential-stealing program used to steal credentials from domain controllers. According to the researchers, “KdcSponge injects itself into the Local Security Authority Subsystem Service (LSASS) process and will hook specific functions to gather usernames and passwords from accounts attempting to authenticate to the domain via Kerberos. The malicious code writes stolen credentials to a file but is reliant on other capabilities for exfiltration.”
Both Godzilla and NGLite, according to the researchers, were created using Chinese instructions and are available for free download on GitHub.
The Impact
Over 370 enterprises in the United States were included in a wide search to detect vulnerable Zoho servers. The effort demonstrates links between rogue servers and US entities such as the Department of Defense, defense contractors, educational institutions, as well as health care providers. As per Palo Alto’s Cortex Xpanse platform scans, the vulnerable Zoho software is operating on more than 11,000 internet-exposed devices across the world. The scans did not reveal how many of those systems had previously been fixed.
The US National Security Agency’s Director of Cybersecurity, Rob Joyce, has advised users and organizations to analyze the Unit 42 results for evidence of compromise of an ongoing malware campaign.
Early Warning
According to reports, the effort began on September 17, a day after CISA issued a warning regarding the operational exploitation of Zoho vulnerabilities such as CVE-2021-40539. According to the agency, exploiting ManageEngine ADSelfService Plus poses a significant danger to critical infrastructure firms, U.S.-cleared defense contractors, academic institutions, and other entities that employ the software.
To limit the danger of actively exploited vulnerabilities, the agency has issued a Binding Operational Directive (BOD). The new Directive, which applies to any hardware or software detected on government information systems, mandates federal civilian agencies to address such flaws within a certain time frame.
Involvement Of Chinese Actors
While the cybercriminals are still unidentified, Unit 42 researchers think the strategies employed in the campaign are comparable to those used by the Chinese threat organization Emissary Panda, also called TG-3390 and APT27.
“We can see that TG-3390 similarly used web exploitation and another popular Chinese web shell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller. While the web shells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling,” the researchers added.
Conclusion
To avoid possible exploitation, organizations of all sizes must respond quickly to important vulnerability reports and take the required security safeguards. This is vital for organizations in key industries that are continuously being probed for weaknesses by ransomware operators.
Vulnerabilities must be communicated to vendor organizations as soon as possible so that corrective action may be implemented. Vulnerability Disclosure programs provide instructions on how to report security flaws to companies. They assist enterprises in mitigating risk by assisting in the disclosure and correction of vulnerabilities before they can be exploited.
