Skip to content
A new campaign uses a known security vulnerability in the Zoho Manage Engine AD Self Service Plus password manager, researchers warned over the weekend.
The threat players have managed to exploit the Zoho weakness in at least 9 global entities across critical sectors so far (technology, defence, healthcare, energy & education), deploying the Godzilla web-shell & exfiltrating data.
Cyber-Espionage Campaign
On Sun., Palo Alto Network’s Unit 42 researchers said that the targeted cyber-espionage campaign is distinct from the ones that the FBI & CISA warned about in Sept.
The bug is a critical authentication bypass flaw – CVE-2021-40539 – that allows unauthenticated remote code execution (RCE).
Zoho patched the vulnerability in Sept., but it’s been actively exploited in the wild starting at least as early as Aug. when it was a zero-day, opening the corporate doors to attackers who can ‘run amok’ as they get free access across users’ Active Directory (AD) & cloud accounts.
Control of the Platform
Consequences of a successful exploit can be significant: The Zoho Manage Engine AD Self Service Plus is a self-service password management & single sign-on (SSO) platform for AD & cloud apps, meaning that any cyber-attacker able to take control of the platform would have multiple pivot points into both mission-critical apps (& their sensitive data) & other parts of the corporate network via AD.
It is, in other words, a powerful, highly privileged application which can function as a convenient point-of-entry to areas deep inside an enterprise’s footprint, for both users & attackers alike.
CISA’s alert explained that in the earlier attacks, state-backed, advanced persistent threats (APTs) were deploying a specific web-shell & other techniques to maintain persistence in victim environments.
Harvesting Data
9 days after the CISA alert, Unit 42 researchers saw yet another, unrelated campaign starting on Sept. 17, as a different player started scanning for unpatched servers. On Sept. 22, after 5 days of harvesting data on potential targets, exploitation attempts started up & likely continued into early Oct.
Unit 42 researchers believe that the player more or less indiscriminately targeted unpatched servers across the spectrum, from education to the US Department of Defense, with scans of at least 370 Zoho Manage Engine servers in the US alone.
“While we lack insight into the totality of organisations that were exploited during this campaign, we believe that, globally, at least 9 entities across the technology, defence, healthcare, energy & education industries were compromised.” they stated.
Godzilla Web-Shell Does Some Heavy Lifting
Unit 42 stated that after threat players exploited CVE-2021-40539 to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla web-shell.
The player uploaded several Godzilla variations to compromised servers & planted some new malware tools as well, including a custom Golang-based open-source backdoor called NGLite & a new credential-stealer that Unit 42 is tracking as Kdc Sponge.
Exploits Differ
“The threat actors then used either the web-shell or the NGLite payload to run commands & move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server,” according to the analysis.
After the players pivoted to a domain controller, they installed the new Kdc Sponge stealer, which is designed to harvest usernames & passwords from domain controllers as accounts attempt to authenticate to the domain via Kerberos.
Chinese
Both Godzilla & NGLite are written in Chinese & are free for the taking on GitHub.
“We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,” Unit 42 surmised.
Multi-Function Pocketknife
The researchers described Godzilla as something of a multi-function pocketknife of a web-shell, noting that it “parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality & returns the result via a HTTP response.”
As such, attackers can refrain from inflicting targeted systems with code that is likely to be flagged as malicious until they are ready to dynamically execute it, researchers commented.
Using NKN to Communicate
“NGLite is characterised by its author as an ‘anonymous cross-platform remote control program based on blockchain technology,’” United 42 researchers Robert Falcone, Jeff White & Peter Renals explained. “It leverages New Kind of Network (NKN) infrastructure for its command & control (C2) communications, which theoretically results in anonymity for its users.”
The researchers noted that using NKN – a legitimate networking service that uses blockchain technology to support a decentralised network of peers – for a C2 channel is “very uncommon.”
“We have seen only 13 samples communicating with NKN altogether – 9 NGLite samples & 4 related to a legitimate open-source utility called Surge that uses NKN for file sharing.”
Threat Actor Shares TTPs with Emissary Panda
Unit 42 outlined that the identity of the threat player is unclear, but researchers saw correlations in tactics & tooling between the attacker & that of Threat Group 3390, aka Emissary Panda, APT27, Bronze Union & Lucky Mouse), an APT that’s been around since 2013 & which is believed to operate from China.
“Specifically, as documented by SecureWorks in an article on a previous TG-3390 operation, we can see that TG-3390 similarly used web exploitation & another popular Chinese web-shell called China Chopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement & attacks on a domain controller,” Unit 42 explained.
Exploits Differ
“While the web-shells & exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.”
In its Sept. 16 alert, CISA recommended that organisations which spot indicators of compromise related to Manage Engine AD Self Service Plus should “take action immediately.”
Also, CISA strongly recommended domain-wide password resets & double Kerberos Ticket Granting Ticket (TGT) password resets, “if any indication is found that the NTDS.dit file was compromised.”
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/
