Using a newly fixed serious flaw in Zoho’s ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution, at least nine entities in the technology, healthcare, defense, education, and energy industries were affected.
The espionage activity includes the threat actor exploiting the weakness to obtain initial access to selected businesses before moving laterally within the network to conduct post-exploitation operations such as harvesting credentials and exfiltrating sensitive data via a backdoor.
According to analysts from Palo Alto Networks’ Unit 42 threat intelligence team, the actor extensively depends on the Godzilla web shell, downloading many iterations of the open-source web shell to the compromised server during the operation period.
Many additional tools, such as the NGLite backdoor and the KdcSponge stealer, have unique properties or have never been publicly reported as having been used in earlier attacks.
The vulnerability, identified as CVE-2021-40539, affects REST API URLs and potentially allows remote code execution, causing the United States’ Cybersecurity and Infrastructure Security Agency (CISA) to warn about active exploitation efforts in the wild. The security flaw has been given a severity rating of 9.8 out of ten.
The first successful exploitation was followed by deploying a Chinese-language JSP web shell named “Godzilla,” with select victims additionally infected with a bespoke Golang-based open-source Trojan called “NGLite,” according to Unit 42’s study into the attack campaign.
Researchers Robert Falcone, Peter Renals, and Jeff White state that NGLite is an anonymous cross-platform remote control tool based on blockchain technology. Its command and control (C2) communications employ a New Kind of Network (NKN) infrastructure, which purportedly gives its users anonymity.
The toolkit allowed the attacker to run commands and move laterally across the network while transferring files of interest in the following phases. A unique password-stealer, known as “KdcSponge,” was also used in the kill chain to rob credentials from domain controllers.
Beginning September 17, the attacker is thought to have targeted at least 370 Zoho ManageEngine systems in the United States alone. While the threat actor’s identity is unknown, Unit 42 claims to have seen similarities in tactics and tools between the attacker and Emissary Panda (aka TG-3390, APT27, Iron Tiger, BRONZE UNION, or LuckyMouse).
CISA advises organizations to take quick action if they notice any behavior linked to ManageEngine ADSelfService Plus signs of compromise in their networks. In addition, if the ‘NTDS.dit‘ file is found to be hacked, domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets are recommended.