Zoho Password Manager Flaw Torched by Godzilla Webshell, New Data Stealer


A new campaign is prying apart a known security vulnerability in the Zoho ManageEngine ADSelfService Plus password manager, researchers warned over the weekend. The threat actors have managed to exploit the Zoho weakness in at least nine global entities across critical sectors so far (technology, defense, healthcare, energy and education), deploying the Godzilla webshell and exfiltrating data. On Sunday, Palo Alto Network’s Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) that the targeted cyberespionage campaign is distinct from the ones that the FBI and [CISA warned about](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September. The bug is a critical authentication bypass flaw – CVE-2021-40539 – that allows unauthenticated remote code execution (RCE). Zoho [patched](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) the vulnerability in September, but it’s been actively exploited in the wild starting at least as early as August when it was a zero-day, opening the corporate doors to attackers who can run amok as they get free rein across users’ Active Directory (AD) and cloud accounts. Consequences of a successful exploit can be significant: The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application that can act as a convenient point-of-entry to areas deep inside an enterprise’s footprint, for both users and attackers alike. CISA’s alert explained that in the earlier attacks, state-backed, advanced persistent threats (APTs) were deploying a specific webshell and other techniques to maintain persistence in victim environments. Nine days after the CISA alert, Unit 42 researchers saw yet another, unrelated campaign kick off starting on Sept. 17, as a different actor started scanning for unpatched servers. On Sept. 22, after five days of harvesting data on potential targets, exploitation attempts started up and likely continued into early October. Unit 42 researchers believe that the actor more or less indiscriminately targeted unpatched servers across the spectrum, from education to the Department of Defense, with scans of at least 370 Zoho ManageEngine servers in the U.S. alone. “While we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised.” they said. ## Godzilla Webshell Does Some Heavy Lifting Unit 42 said that after threat actors exploited [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla webshell. The actor uploaded several Godzilla variations to compromised servers and planted some new malware tools as well, including a custom Golang-based open-source backdoor called [NGLite](<https://github.com/Maka8ka/NGLite>) and a new credential-stealer that Unit 42 is tracking as KdcSponge. “The threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server,” according to the analysis. After the actors pivoted to a domain controller, they installed the new KdcSponge stealer, which is designed to harvest usernames and passwords from domain controllers as accounts attempt to authenticate to the domain via Kerberos. Both Godzilla and NGLite are written in Chinese and are free for the taking on GitHub. “We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,” Unit 42 surmised. The researchers described Godzilla as something of a multi-function pocket knife of a webshell, noting that it “parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.” As such, attackers can refrain from inflicting targeted systems with code that’s likely to be flagged as malicious until they’re ready to dynamically execute it, researchers said. ## Using NKN to Communicate Is an Eye-Opener “NGLite is characterized by its author as an ‘anonymous cross-platform remote control program based on blockchain technology,'” United 42 researchers Robert Falcone, Jeff White and Peter Renals explained. “It leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.” The researchers noted that using NKN – a legitimate networking service that uses blockchain technology to support a decentralized network of peers – for a C2 channel is “very uncommon.” “We have seen only 13 samples communicating with NKN altogether – nine NGLite samples and four related to a legitimate open-source utility called [Surge](<https://github.com/rule110-io/surge>) that uses NKN for file sharing.” ## Threat Actor Shares TTPs with Emissary Panda Unit 42 said the identity of the threat actor is unclear, but researchers saw [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of Threat Group 3390, aka [Emissary Panda](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>), APT27, Bronze Union and LuckyMouse), an APT that’s been around since 2013 and which [is believed to operate from China](<https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/>). “Specifically, as documented by SecureWorks in an article on a [previous TG-3390 operation](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>), we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called [ChinaChopper](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,” Unit 42 said. “While the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.” 110921 08:51 UPDATE: [Microsoft said](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) on Monday that it’s attributing this campaign with high confidence to DEV-0322, a group operating out of China, “based on observed infrastructure, victimology, tactics, and procedures.” Microsoft’s Threat Intelligence Center (MSTIC) has previously detected DEV-0322 taking part in attacks targeting the SolarWinds Serv-U software, which had a zero day – CVE-2021-35211, a remote memory escape – that SolarWinds [patched](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) in July. MSTIC researchers said that the attacks in this new round of beating up Zoho password manager are installing a custom IIS module. IIS, or Internet Information Services, is an extensible web server software created by Microsoft for use with the Windows NT family. Besides the custom IIS module, DEV-0322 also deployed a trojan that MSTIC is calling Trojan:Win64/Zebracon that uses hardcoded credentials to make connections to suspected DEV-0322-compromised [Zimbra email servers.](<https://threatpost.com/zimbra-server-bugs-email-plundering/168188/>) In its Sept. 16 alert, CISA recommended that organizations that spot indicators of compromise related to ManageEngine ADSelfService Plus should “take action immediately.” Also, CISA strongly recommended domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets, “if any indication is found that the NTDS.dit file was compromised.” ## Classic Cyberespionage Targets: Healthcare and Energy If the actor behind this second Zoho-focused campaign does turn out to be a Chinese APT, it won’t be surprising, some said. Dave Klein, cyber evangelist and director at [Cymulate](<https://cymulate.com/>), pointed to the People’s Republic of China (PRC) having a well-documented, continued interest in healthcare and energy infrastructure data. He pointed to the [2015 breach](<https://threatpost.com/5-6-million-fingerprints-stolen-in-opm-hack/114784/>) of the U.S. Office of Personnel Management (OPM) as an example. The massive breach was overwhelmingly [attributed](<https://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html?hpid=z1>) to the PRC. It included exquisitely sensitive information, including millions of federal employees’ fingerprints, Social Security numbers, dates of birth, employee performance records, employment history, employment benefits, resumes, school transcripts, military service documentation and psychological data from interviews conducted by background investigators. “The PRC got into clearance background information data including very sensitive information. Subsequently in that case they were looking for weaknesses in US classified personnel – which would include health hardships – either personally or related to them,” Klein told Threapost via email on Monday. He noted that following the OPM breach, some healthcare agencies were subsequently breached, including [Anthem Health](<https://threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/>): an attack that affected more than 78 million people. “The interest in healthcare data globally continues not only for espionage purposes against targets – building an inventory of hardships/weak points as well as seeking out healthcare data to better serve their local industries,” Klein noted. “On energy, the interest is both on stealing industrial espionage information as well as to set up compromises in critical infrastructures for potential use in cases of future hostilities.” ## If Patching Isn’t Mandatory, a Breach Is a Given Mike Denapoli, lead security architect at Cymulate, added that well-documented (and patched) vulnerabilities in massively popular platforms like Microsoft Exchange and MangeEngine are ripe fruit for threat actors to pluck. Organizations that can’t or won’t patch are sitting ducks, he said. “For whatever the reasons may be (downtime avoidance, fear over patches disrupting workflows, etc.), attackers know these systems are vulnerable, and are making sure to take advantage of any organization that doesn’t keep patching updated,” Denapoli told Threatpost. “We have reached the point where patching is a must – within a reasonable amount of time – and needs to be performed. While you don’t have to patch immediately, you must patch regularly. Downtime is mandatory. Testing is mandatory. If not, then a breach is mandatory.” _Image courtesy of [AlphaCoders](<https://wall.alphacoders.com/big.php?i=1012166>)._ 110821 12:24 UPDATE: Added input from Mike Denapoli and Dave Klein. **_Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “_**[**_An Intro to OSquery and CloudQuery_**](<https://bit.ly/3wf2vTP>)**_,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus._** [**_Register NOW_**](<https://bit.ly/3wf2vTP>)**_ for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at _**[**_becky.bracken@threatpost.com_**](<mailto:becky.bracken@threatpost.com>)**_._**