Mass spying campaign against critical sectors detected

Palo Alto Networks, a US multinational cybersecurity company, announced yesterday that its researchers have detected an ongoing, global hacking campaign against Zoho’s ManageEngine ADselfService Plus password management solution, one that has compromised unpatched systems in at least nine critical-sector organisations. 

ADSelfService Plus is a popular software used in organisations that require an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. 

Scanning on vulnerable servers was observed by Palo Alto Networks researchers on 17th September, coming only the day after a joint advisory was released by US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the United States Coast Guard Cyber Command (CGCYBER). CISA had previously warned of an exploit campaign targeting Zoho’s software nine days prior.  

After scanning and collecting data from still-unpatched targets, the threat group had moved onto more active exploitation by the 22nd September.  

With the assistance of the National Security Agency’s (NSA) Cybersecurity Collaboration Center, a division tasked with preventing and combating foreign cyber threats to the National Security Systems (NSS), the Department of Defense and the Defense Industrial Base (DIB), Palo Alto Networks’ researchers have been able to analyse and expose a string of ongoing exploits by unknown threat actors targeting US Defense contractors as well as energy, technology, healthcare and education. 

Nature of the hacks 

In order to breach organisations networks and systems, the threat actors leverage a critical vulnerability called CVE-2021-40539 in ManageEngine ADSelfService Plus, Zoho’s enterprise password management solution. This allows the threat actors to remotely execute code on unpatched systems without authentication. 

After the threat actors gain access to the initial server by leveraging the CVE-2021-40539 vulnerability, they deploy a malware dropper to deliver Godzilla web shells and maintain access to the victims' compromised networks. Malware like NGLite, an open-source backdoor, is also used. 

Next, the threat actors utilise KdcSponge, a credential-stealing malware, to leverage the Windows LSASS API functions and acquire credentials like domain names, usernames, and passwords.  

This data is then exfiltrated to the threat actor’s infrastructure for the purposes of maintaining access and privilege escalation. Researchers at Palo Alto Networks said “After gaining access to the initial server, the actors focused their efforts on gathering and exfiltrating sensitive information from local domain controllers, such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry”. 

In regards to key points of interest, it appears the threat actor is ultimately “interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration”. 

Who’s vulnerable? 

Reportedly, Palo Alto Networks have discovered over 11,000 internet-exposed servers with the Zoho software vulnerability. It remains unknown how many of these systems have been patched yet. 

The researchers said that while they “lack insight into the totality of organizations that were exploited during this campaign”, it is believed “that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised”.  

The researchers further stated the “Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone” and “that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities”. 

It also seems there could be more than one threat group at play as well, as following the joint advisory, the researchers saw a series of unrelated, unsuccessful attempts to compromise these targets, indicating the possibility of other state-backed or financially-motivated threats groups joining in in the wild. 

Any organisation with an ADSelfService Plus build lower than 6114 are strongly urged to get the latest update released by the developer using the service pack in order to help combat this exploit. 

Chinese APT link 

While cyber researchers are still working to attribute these cyber attacks to a threat group, a number suspect it’s the work of a Chinese-backed APT group known as APT27 due to both the targets and the tools and tactics used in this campaign echoing the group’s previous cyber espionage campaigns.  

APT27 is also known as TG-3390, BRONZE UNION, Iron Tiger, LuckyMouse, and Emissary Panda. 

In March, a series of attacks against unpatched, on-premise Microsoft Exchange servers, exploiting critical vulnerabilities dubbed ProxyLogon to achieve remote code execution without authentication, was attributed to APT27. The group was also linked to ransomware attacks against major gaming companies. 

In June, the US and allies, including NATO and the European Union, officially blamed China for the widespread, hacking campaign that hit Microsoft Exchange over the past year. In response, China called the accusations “groundless” despite mounting evidence. 

Over the past year, companies and critical infrastructure have been facing unprecedented waves of cyber attacks. With the attacks only set to increase in their frequency and sophistication, now more than ever organisations need to keep on top of cybersecurity best practices and be vigilant with their defences, including making sure that their software is up to date with the latest security patches.