Hackers are exploiting a recently patched critical vulnerability in Zoho's ManageEngine ADSelfService Plus, that could allow them to perform remote code execution. Earlier, CISA had warned regarding advanced persistent threat (APT) actors exploiting the flaw.

What happened?

Recently, Palo Alto Networks uncovered a spying campaign exploiting the flaw to gain initial access to targeted organizations.
  • Their targets included at least nine entities from various sectors including defense, energy, technology, healthcare, and education.
  • The attackers were using malicious tools for credentials harvesting and stealing sensitive information via a backdoor.
  • The exploited flaw, tracked as CVE-2021-40539, lets criminals move laterally throughout the network for post-exploitation activities.

Notably, the attackers are believed to have targeted 370 Zoho ManageEngine servers alone in the U.S.

Attack tactics and new revelations

  • The attackers used the Godzilla webshell, where they uploaded several variations of the webshell to the targeted server.
  • Successful initial exploitation activities involved an installation of a Chinese-language JSP web shell, Godzilla, with selected victims being infected with NGLite, a custom and open-source Trojan.
  • Several of the tools used by the attackers, such as NGLite and KdcSponge, were previously undetected tools with unique characteristics.

About NGLite and KdcSponge

  • NGLite is an anonymous cross-platform remote control program based on blockchain technology. It uses a New Kind of Network (NKN) infrastructure during C2 communications for anonymity.
  • The toolset allows the attacker to execute commands and move laterally to other systems on the network, while simultaneously transmitting files of interest.
  • The attackers deploy KdcSponge to steal credentials from domain controllers.

Attribution with other threat groups

  • Although researchers were not able to link this campaign with any specific threat group with complete surety, correlations were observed in tactics and tooling with Emissary Panda.
  • Microsoft separately tracked the same campaign and linked it with an emerging threat named DEV-0322. DEV-0322 operates from China and previously exploited a zero-day flaw in SolarWinds Serv-U.

Concluding note

New campaigns emerging to bite victims via previously disclosed flaws reflect an existing gap in the security readiness of firms. Experts recommend implementing a robust patch management program to stay protected from such threats.

Cyware Publisher