CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%
A new campaign is prying apart a known security vulnerability in the Zoho ManageEngine ADSelfService Plus password manager, researchers warned over the weekend. The threat actors have managed to exploit the Zoho weakness in at least nine global entities across critical sectors so far (technology, defense, healthcare, energy and education), deploying the Godzilla webshell and exfiltrating data.
On Sunday, Palo Alto Networkâs Unit 42 researchers said that the targeted cyberespionage campaign is distinct from the ones that the FBI and CISA warned about in September.
The bug is a critical authentication bypass flaw â CVE-2021-40539 â that allows unauthenticated remote code execution (RCE). Zoho patched the vulnerability in September, but itâs been actively exploited in the wild starting at least as early as August when it was a zero-day, opening the corporate doors to attackers who can run amok as they get free rein across usersâ Active Directory (AD) and cloud accounts.
Consequences of a successful exploit can be significant: The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application that can act as a convenient point-of-entry to areas deep inside an enterpriseâs footprint, for both users and attackers alike.
CISAâs alert explained that in the earlier attacks, state-backed, advanced persistent threats (APTs) were deploying a specific webshell and other techniques to maintain persistence in victim environments.
Nine days after the CISA alert, Unit 42 researchers saw yet another, unrelated campaign kick off starting on Sept. 17, as a different actor started scanning for unpatched servers. On Sept. 22, after five days of harvesting data on potential targets, exploitation attempts started up and likely continued into early October.
Unit 42 researchers believe that the actor more or less indiscriminately targeted unpatched servers across the spectrum, from education to the Department of Defense, with scans of at least 370 Zoho ManageEngine servers in the U.S. alone.
âWhile we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised.â they said.
Unit 42 said that after threat actors exploited CVE-2021-40539 to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla webshell.
The actor uploaded several Godzilla variations to compromised servers and planted some new malware tools as well, including a custom Golang-based open-source backdoor called NGLite and a new credential-stealer that Unit 42 is tracking as KdcSponge.
âThe threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server,â according to the analysis. After the actors pivoted to a domain controller, they installed the new KdcSponge stealer, which is designed to harvest usernames and passwords from domain controllers as accounts attempt to authenticate to the domain via Kerberos.
Both Godzilla and NGLite are written in Chinese and are free for the taking on GitHub.
âWe believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,â Unit 42 surmised. The researchers described Godzilla as something of a multi-function pocket knife of a webshell, noting that it âparses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.â
As such, attackers can refrain from inflicting targeted systems with code thatâs likely to be flagged as malicious until theyâre ready to dynamically execute it, researchers said.
âNGLite is characterized by its author as an âanonymous cross-platform remote control program based on blockchain technology,'â United 42 researchers Robert Falcone, Jeff White and Peter Renals explained. âIt leverages New Kind of Network (NKN) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.â
The researchers noted that using NKN â a legitimate networking service that uses blockchain technology to support a decentralized network of peers â for a C2 channel is âvery uncommon.â
âWe have seen only 13 samples communicating with NKN altogether â nine NGLite samples and four related to a legitimate open-source utility called Surge that uses NKN for file sharing.â
Unit 42 said the identity of the threat actor is unclear, but researchers saw correlations in tactics and tooling between the attacker and that of Threat Group 3390, aka Emissary Panda, APT27, Bronze Union and LuckyMouse), an APT thatâs been around since 2013 and which is believed to operate from China.
âSpecifically, as documented by SecureWorks in an article on a previous TG-3390 operation, we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,â Unit 42 said. âWhile the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.â
110921 08:51 UPDATE: Microsoft said on Monday that itâs attributing this campaign with high confidence to DEV-0322, a group operating out of China, âbased on observed infrastructure, victimology, tactics, and procedures.â
Microsoftâs Threat Intelligence Center (MSTIC) has previously detected DEV-0322 taking part in attacks targeting the SolarWinds Serv-U software, which had a zero day â CVE-2021-35211, a remote memory escape â that SolarWinds patched in July.
MSTIC researchers said that the attacks in this new round of beating up Zoho password manager are installing a custom IIS module. IIS, or Internet Information Services, is an extensible web server software created by Microsoft for use with the Windows NT family.
Besides the custom IIS module, DEV-0322 also deployed a trojan that MSTIC is calling Trojan:Win64/Zebracon that uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.
In its Sept. 16 alert, CISA recommended that organizations that spot indicators of compromise related to ManageEngine ADSelfService Plus should âtake action immediately.â
Also, CISA strongly recommended domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets, âif any indication is found that the NTDS.dit file was compromised.â
If the actor behind this second Zoho-focused campaign does turn out to be a Chinese APT, it wonât be surprising, some said. Dave Klein, cyber evangelist and director at Cymulate, pointed to the Peopleâs Republic of China (PRC) having a well-documented, continued interest in healthcare and energy infrastructure data.
He pointed to the 2015 breach of the U.S. Office of Personnel Management (OPM) as an example. The massive breach was overwhelmingly attributed to the PRC. It included exquisitely sensitive information, including millions of federal employeesâ fingerprints, Social Security numbers, dates of birth, employee performance records, employment history, employment benefits, resumes, school transcripts, military service documentation and psychological data from interviews conducted by background investigators.
âThe PRC got into clearance background information data including very sensitive information. Subsequently in that case they were looking for weaknesses in US classified personnel â which would include health hardships â either personally or related to them,â Klein told Threapost via email on Monday.
He noted that following the OPM breach, some healthcare agencies were subsequently breached, including Anthem Health: an attack that affected more than 78 million people. âThe interest in healthcare data globally continues not only for espionage purposes against targets â building an inventory of hardships/weak points as well as seeking out healthcare data to better serve their local industries,â Klein noted. âOn energy, the interest is both on stealing industrial espionage information as well as to set up compromises in critical infrastructures for potential use in cases of future hostilities.â
Mike Denapoli, lead security architect at Cymulate, added that well-documented (and patched) vulnerabilities in massively popular platforms like Microsoft Exchange and MangeEngine are ripe fruit for threat actors to pluck. Organizations that canât or wonât patch are sitting ducks, he said.
âFor whatever the reasons may be (downtime avoidance, fear over patches disrupting workflows, etc.), attackers know these systems are vulnerable, and are making sure to take advantage of any organization that doesnât keep patching updated,â Denapoli told Threatpost. âWe have reached the point where patching is a must â within a reasonable amount of time â and needs to be performed. While you donât have to patch immediately, you must patch regularly. Downtime is mandatory. Testing is mandatory. If not, then a breach is mandatory.â
Image courtesy of AlphaCoders.
110821 12:24 UPDATE: Added input from Mike Denapoli and Dave Klein.
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for âAn Intro to OSquery and CloudQuery,â a LIVE, interactive conversation with Eric Kaiser, Uptycsâ senior security engineer, about how this open-source tool can help tame security across your organizationâs entire campus.
Register NOWfor the LIVE event and submit questions ahead of time to Threatpostâs Becky Bracken at [email protected].
bit.ly/3wf2vTP
bit.ly/3wf2vTP
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539
cymulate.com/
github.com/Maka8ka/NGLite
github.com/rule110-io/surge
nkn.org/
threatpost.com/5-6-million-fingerprints-stolen-in-opm-hack/114784/
threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/
threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/
threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/
threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/
threatpost.com/ransomware-major-gaming-companies-apt27/162735/
threatpost.com/zimbra-server-bugs-email-plundering/168188/
threatpost.com/zoho-password-manager-zero-day-attack/169303/
unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
wall.alphacoders.com/big.php?i=1012166
www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/
www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html?hpid=z1
mailto:[email protected]
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%