Hackers are exploiting a recently patched critical vulnerability in Zoho's ManageEngine ADSelfService Plus, that could allow them to perform remote code execution. Earlier, CISA had warned regarding advanced persistent threat (APT) actors exploiting the flaw.
What happened?
Recently, Palo Alto Networks uncovered a spying campaign exploiting the flaw to gain initial access to targeted organizations.
- Their targets included at least nine entities from various sectors including defense, energy, technology, healthcare, and education.
- The attackers were using malicious tools for credentials harvesting and stealing sensitive information via a backdoor.
- The exploited flaw, tracked as CVE-2021-40539, lets criminals move laterally throughout the network for post-exploitation activities.
Notably, the attackers are believed to have targeted 370 Zoho ManageEngine servers alone in the U.S.
Attack tactics and new revelations
- The attackers used the Godzilla webshell, where they uploaded several variations of the webshell to the targeted server.
- Successful initial exploitation activities involved an installation of a Chinese-language JSP web shell, Godzilla, with selected victims being infected with NGLite, a custom and open-source Trojan.
- Several of the tools used by the attackers, such as NGLite and KdcSponge, were previously undetected tools with unique characteristics.
About NGLite and KdcSponge
- NGLite is an anonymous cross-platform remote control program based on blockchain technology. It uses a New Kind of Network (NKN) infrastructure during C2 communications for anonymity.
- The toolset allows the attacker to execute commands and move laterally to other systems on the network, while simultaneously transmitting files of interest.
- The attackers deploy KdcSponge to steal credentials from domain controllers.
Attribution with other threat groups
- Although researchers were not able to link this campaign with any specific threat group with complete surety, correlations were observed in tactics and tooling with Emissary Panda.
- Microsoft separately tracked the same campaign and linked it with an emerging threat named DEV-0322. DEV-0322 operates from China and previously exploited a zero-day flaw in SolarWinds Serv-U.
Concluding note
New campaigns emerging to bite victims via previously disclosed flaws reflect an existing gap in the security readiness of firms. Experts recommend implementing a robust patch management program to stay protected from such threats.
Update on January 26, 2022:
Responding to the vulnerability exploitation attempts, the company said: "We have addressed an authentication bypass vulnerability in ManageEngine's ADSelfService Plus. The vulnerability affects REST API URLS and could result in Remote Code Execution. We released a patch and notified all our customers about the bug. They are requested to update the software to the latest version (build 6114) as soon as possible. A public advisory, detailing the steps to be taken by customers if they are affected, has been issued. Please refer to this link. We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required."
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_181909403.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_234749191.jpg)
