You'll never guess who's been exploiting the ManageEngine service to steal passwords

Webshells and backdoors come with Chinese instructions

Palo Alto Networks' Unit 42 research team has said criminals using tools accompanied by Chinese instructions gained access to high-interest networks and stole passwords after exploiting at least 370 password management services in the US.

"As early as September 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet," wrote Unit 42. "Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October."

Unit 42 said that between September and October, the miscreant successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.

The vulnerability exploited by the attackers was originally reported by the Cybersecurity and Infrastructure Security Agency (CISA), which issued an alert on 16 September. An unrelated group of cyber actors had exploited the vulnerability in the same password management service, Zoho Group's ManageEngine ADSelfServicePlus, as early as August 2021.

"Advanced persistent threat (APT) cyber actors have targeted academic institutions, defence contractors, and critical infrastructure entities in multiple industry sectors – including transportation, IT, manufacturing, communications, logistics, and finance," warned CISA.

The attackers uploaded .zip files with a JavaServer Pages (JSP) webshell disguised as an x509 certificate and made subsequent requests to various API endpoints to further exploit compromised systems. The attackers then moved laterally using Windows Management Instrumentation (WMI), gained access to a domain controller, and exfiltrated registry hive and Active Directory files. The crims hid their tracks by running clean-up scripts.

Zoho Corp issued a fix 10 days prior to the announcement on 6 September, but the attacks had been active as early as August 2021, so a good amount of damage was done.

Within days Unit 42 identified an unrelated campaign that attacked the same vulnerability. The research team believes the scans were indiscriminate in nature.

The new team of crims gifted their victims a Godzilla webshell, with some also receiving a backdoor called NGLite. The pair are publicly available on GitHub and are believed to be operated together as a form of redundancy. Once one or the other was used to run commands, the attackers moved laterally onto the network where they could find the files they wanted and directly download them from the server. Then the attackers installed a new password-stealing tool called KdcSponge.

Unit 42 described Godzilla as a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality, and returns the result via an HTTP response, which allows attackers to keep code that could potentially be flagged as malicious off the target system until execution.

NGLIten, on the other hand, is described as an "anonymous cross-platform remote control program based on blockchain technology." It leverages New Kind of Network (NKN) infrastructure for its command-and-control (C2) communications in order to remain anonymous. NKN is used legitimately for many reasons, but rarely as a C2 channel.

As for KdcSponge, it injects itself into the Local Security Authority Subsystem Service (LSASS) process, where it hooks undocumented functions to collect usernames and passwords from inbound Kerberos authentication attempts to the domain and records them in a file.

The identity of the threat actor remains a mystery. However, there are some similarities between this attack and Group-3390, also known as Emissary Panda, which is believed to operate from China. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

    Donated $110K to Democrats in recent years

    United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

    The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

    The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

    Continue reading
  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading
  • Aircraft can't land safely due to interference with upcoming 5G C-band broadband service

    Expect flight delays and diversions, US Federal Aviation Administation warns

    The new 5G C-band wireless broadband service expected to rollout on 5 January 2022 in the US will disrupt local radio signals and make it difficult for airplanes to land safely in harsh weather conditions, according to the Federal Aviation Administration.

    Pilots rely on radio altimeter readings to figure out when and where an aircraft should carry out a series of operations to prepare for touchdown. But the upcoming 5G C-band service beaming from cell towers threatens to interfere with these signals, the FAA warned in two reports.

    Flights may have to be delayed or restricted at certain airports as the new broadband service comes into effect next year. The change could affect some 6,834 airplanes and 1,828 helicopters. The cost to operators is expected to be $580,890.

    Continue reading

Biting the hand that feeds IT © 1998–2021