Researchers at Palo Alto Networks Unit 42 have discovered that a China-linked hacking group raped at least nine organizations as part of a global cyberespionage campaign.
The report says the attackers indiscriminately targeted around 370 organizations in the defense, healthcare, education, technology and energy sectors.
According to the researchers, the hackers targeted organizations running vulnerable Zoho servers and compromised at least one entity in the United States.
Cyberespionage Campaign Deploys Godzilla Webshells, NGLite Backdoors
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the US Coast Guard issued an alert on September 16, 2021 regarding malicious actors exploiting a vulnerability in Zoho’s ManageEngine ADSelfService Plus password manager.
The attacks exploited an authentication bypass vulnerability CVE-2021-40539 which could allow remote code execution and deployment of additional payloads. The joint alert warned that the vulnerability posed serious risks to US critical infrastructure entities and defense contractors.
“The ADSelfService attack is another example of hackers using zero-day vulnerabilities to insert malware into our businesses,” said Garret Grajek, CEO of YouAttest. “This particular APT is a credential theft tool for the purpose of continually stealing corporate credentials.
“The fact that the new attack builds on previously patched components shows how important zero trust concepts are to the business. We have to assume that any component of the business is compromised, even recently patched ones – and therefore harden our identities and enforce the principle of least privilege on all accounts – especially service accounts. “
Palo Alto Networks subsequently detected a second wave of attacks attempting to compromise vulnerable servers between September 22 and early October.
During the campaign, malicious actors installed Godzilla webshells on compromised systems and NGLite backdoors on a subset of victims. NGLite operates New Kind of Network (NKN) protocols based on blockchain technology.
Attackers used webshells or backdoors to execute remote commands, move sideways, and exfiltrate sensitive files. They also installed the password theft tool, KdcSponge, to gain access to login information and maintain access to compromised servers.
The tool hooks up to the Local Security Authority Subsystem Service (LSASS) to collect usernames and passwords.
“Ultimately, the actor was interested in stealing credentials, maintaining access and collecting sensitive files from victims’ networks for exfiltration,” the researchers wrote.
Palo Alto Networks Unit 42 chairman Ryan Olson noted that organizations were being targeted in the cyberespionage campaign because of the valuable information they held.
“Overall, access to this information can be very valuable,” Olson told CNN. “Even if it is not classified information, even if it is only information about the operation of the business. “
Saryu Nayyar, CEO of Gurucul, noted that the cyberespionage campaign is a nightmare for critical infrastructure, defense and healthcare organizations.
“Malware that lurks on systems and networks until activated is one of the most insidious attacks possible because the possibility of detection is often fleeting. SOC IT staff and analysts should use automated approaches to identify these activities as suspicious and high-risk, and automatically begin remediation when possible.
Chinese hacking group Emissary Panda responsible for global cyberespionage campaign
However, the cybersecurity firm did not disclose the identity of the violated organization in the United States. And Unit 42 researchers could not authoritatively attribute cyber espionage to a specific threat actor.
However, the researchers argued that the cyber espionage activity resembles that of the Chinese hacking group Emissary Panda, Threat Group 3390, APT27 or Bronze Union based on the tools, techniques and procedures (TTP) deployed.
“Specifically, as documented by SecureWorks in an article on a previous TG-3390 operation, we can see that TG-3390 similarly used web mining and another popular Chinese webshell called ChinaChopper for their initial positions before firing Party of stolen legitimate credentials for lateral movements and attacks. on a domain controller, ”the researchers said.
“Although the webshells and exploits differ, once the actors gained access to the environment, we noticed an overlap in some of their exfiltration tools. “
NSA Cyber Security Director Rob Joyce advised organizations to review the report and check their systems for Indicators of Compromise (IOC).
The United States National Security Agency (NSA) and the CISA are both monitoring the cyberespionage campaign.
Eric Goldstein, CISA’s executive deputy director for cybersecurity, said the agencies have adopted a joint public-private Cyber Defense Collaboration (JCDC) program to understand cyber threats and respond to activity.
“Today’s tools and resources give malicious actors unprecedented capabilities to analyze and exploit vulnerabilities at scale,” said Doug Britton, CEO of Haystack Solutions. “This helps accelerate RAT attacks in businesses critical to the well-being of our economy.
“These types of attacks and others like them won’t stop until we put tougher measures in place. We need to invest in the next generation of cyber professionals. We have the tools to find talent even in a tight labor market and we need to double that investment to ensure we have the capacity to tackle these threats in the future. “