Palo Alto Networks Unit 42 researchers discovered that a hacking group with ties to China breached at least nine organizations in a global cyber espionage campaign.
The report indicated that attackers indiscriminately targeted about 370 organizations in the defense, healthcare, education, technology, and energy sectors.
According to the researchers, hackers targeted organizations running vulnerable Zoho servers and compromised at least one entity in the United States.
Cyber espionage campaign deploys Godzilla webshells and NGLite backdoors
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Coast Guard had issued an alert on Sep 16, 2021, over threat actors exploiting a vulnerability in Zoho’s ManageEngine ADSelfService Plus password manager.
The attacks leveraged an authentication bypass vulnerability CVE-2021-40539 that could allow remote code execution and deployment additional payloads. The joint alert warned that the vulnerability posed serious risks to US critical infrastructure entities and defense contractors.
“The ADSelfService attack is another example of hackers using zero-day vulnerabilities to insert malware into our enterprises,” said Garret Grajek, CEO at YouAttest. “This particular APT is a credential-stealing tool for the purpose of continually stealing credentials on the enterprise.
“The fact that the new attack went on top of previously patched components shows how important concepts of zero trust are to the enterprise. We must assume any component of the enterprise is compromised, even the recently patched – and therefore harden our identities and enforce the principle of least privilege on all accounts – especially the service accounts.”
Subsequently, Palo Alto Networks detected a second wave of attacks attempting to compromise vulnerable servers between Sep 22 to early October.
During the campaign, threat actors installed Godzilla webshells on compromised systems and NGLite backdoors on a subset of the victims. NGLite leverages the New Kind of Network (NKN) protocols based on blockchain technology.
The attackers leveraged the webshells or backdoors to execute remote commands, move laterally, and exfiltrate sensitive files. They also installed the password-stealing tool, KdcSponge to access login credentials and maintain access to compromised servers.
The tool hooks itself on the Local Security Authority Subsystem Service (LSASS) to collect usernames and passwords.
“Ultimately, the actor was interested in stealing credentials, maintaining access, and gathering sensitive files from victim networks for exfiltration,” the researchers wrote.
Palo Alto Networks Unit 42 President Ryan Olson noted that the organizations were targeted in the cyber espionage campaign because of the valuable information they held.
“In aggregate, access to that information can be really valuable,” Olson told CNN. “Even if it’s not classified information, even if it’s just information about how the business is doing.”
Saryu Nayyar, CEO at Gurucul, noted that the cyber espionage campaign is a nightmare for critical infrastructure, defense, and healthcare organizations.
“Malware that lurks undetected on systems and networks until it’s activated is one of the most insidious attacks possible because the possibility of detection is often fleeting. IT staff and SOC analysts have to use automated approaches to identify these activities as suspicious and high-risk, and automatically begin remediation where possible.”
Chinese hacking group Emissary Panda responsible for the global cyber espionage campaign
However, the cybersecurity company did not disclose the identity of the organization breached in the US. And Unit 42 researchers could not authoritatively attribute cyber espionage to a specific threat actor.
However, the researchers posited that the cyber espionage activity resembled that of the Chinese hacking group Emissary Panda, Threat Group 3390, APT27, or Bronze Union based on the tools, techniques, and procedures (TTPs) deployed.
“Specifically, as documented by SecureWorks in an article on a previous TG-3390 operation, we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,” the researchers stated.
“While the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.”
The NSA cybersecurity director Rob Joyce advised organizations to review the report and check their systems for indicators of compromise (IOCs).
Both the US National Security Agency (NSA) and CISA are tracking the cyber espionage campaign.
CISA Executive Assistant Director for Cybersecurity Eric Goldstein said the agencies adopted a public-private Joint Cyber Defense Collaborative (JCDC) program to understand the cyber threats and drive response to the activity.
“Current tools and resources allow bad actors unprecedented abilities to scan and exploit vulnerabilities on a massive scale,” said Doug Britton, CEO at Haystack Solutions. “This works to accelerate RAT attacks into companies critical to the welfare of our economy.
“These and similar types of attacks won’t stop until we have stronger measures in place. We need to invest in the next generation of cyber professionals. We have the tools to find talent even in a tight labor market and we need to double down on this investment to ensure we have the ability to combat these threats going forward.”