Security researchers at Palo Alto Networks have identified a global espionage campaign that exploited a known vulnerability in the Zoho password management and single-sign-on platform, ManageEngine ADSelfService Plus.
The flaw, tracked as CVE-2021-40539, affects version 6113 and prior versions of the ManageEngine ADSelfService Plus platform and is a REST API authentication bypass issue that allows remote code execution and a full takeover.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory about the flaw on September 16, 2021 and warned that an exploit had been developed for the vulnerability that was being used by certain Advanced Persistent Threat (APT) actors to attack vulnerable systems.
Palo Alto researchers said they detected a second campaign by another APT actor that started on September 17, 2021, when scans were conducted for vulnerable systems. Vulnerable systems started to be attacked on September 22 with the activity continuing throughout October. The researchers identified exploitation attempts on 370 vulnerable servers in the United States alone, with the APT group known to have successfully compromised the systems of 9 organizations by exploiting the flaw. The victims came from several sectors, including defense, energy, healthcare, and education.
After exploiting the flaws and bypassing authentication, the APT group delivered the Godzilla web shell and a new backdoor dubbed NGLite. The researchers believe the two tools were used to ensure the attackers could maintain persistent access to the networks of high-interest victims.
According to the researchers, NGLite is an “anonymous cross-platform remote control program based on blockchain technology” which leverages New Kind of Network (NKN) infrastructure for C2 communications which allows users to remain anonymous. The researchers note the use of NKN for C2 communications is very uncommon. “We have seen only 13 samples communicating with NKN altogether – nine NGLite samples and four related to a legitimate open-source utility called Surge that uses NKN for file sharing,” explained Palo Alto.
The attackers then moved laterally within victims’ networks, identifying and exfiltrating data of interest. Once they identified a domain controller they deployed a new credential-stealing tool dubbed KdcSponge to collect usernames and passwords to authenticate to the domain via Kerberos.
It has not been possible to identify the threat actor behind this campaign, but based on the tactics, techniques, and procedures used, Palo Alto believes the campaign was conducted by the Chinese state-sponsored hacking group APT27, also known as TG-3390 and Emissary Panda.
Palo Alto Networks has identified 11,000 Internet-facing servers with the Zoho solution installed, although it is unclear how many of those servers have not yet been patched. Any organization that uses the ManageEngine ADSelfService Plus platform is advised to check the patching status and ensure the vulnerability is mitigated a soon as possible to prevent exploitation, and also to investigate for indicators of compromise if the patch has not already been applied.