At least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a recently patched critical vulnerability in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution.
The spying campaign, which was observed starting September 22, 2021, involved the threat actor taking advantage of the flaw to gain initial access to targeted organizations, before moving laterally through the network to carry out post-exploitation activities by deploying malicious tools designed to harvest credentials and exfiltrate sensitive information via a backdoor.
"The actor heavily relies on the Godzilla web shell, uploading several variations of the open-source web shell to the compromised server over the course of the operation," researchers from Palo Alto Networks' Unit 42 threat intelligence team said in a report. "Several other tools have novel characteristics or have not been publicly discussed as being used in previous attacks, specifically the NGLite backdoor and the KdcSponge stealer."
Tracked as CVE-2021-40539, the vulnerability relates to an authentication bypass vulnerability affecting REST API URLs that could enable remote code execution, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn of active exploitation attempts in the wild. The security shortcoming has been rated 9.8 out of 10 in severity.
Real-world attacks weaponizing the bug are said to have commenced as early as August 2021, according to CISA, the U.S. Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER).
Unit 42's investigation into the attack campaign found that successful initial exploitation activities were consistently followed by the installation of a Chinese-language JSP web shell named "Godzilla," with select victims also infected with a custom Golang-based open-source Trojan called "NGLite."
"NGLite is characterized by its author as an 'anonymous cross-platform remote control program based on blockchain technology,'" researchers Robert Falcone, Jeff White, and Peter Renals explained. "It leverages New Kind of Network (NKN) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users."
In subsequent steps, the toolset enabled the attacker to run commands and move laterally to other systems on the network, while simultaneously transmitting files of interest. Also deployed in the kill chain is a novel password-stealer dubbed "KdcSponge" orchestrated to steal credentials from domain controllers.
Ultimately, the adversary is believed to have targeted at least 370 Zoho ManageEngine servers in the U.S. alone beginning September 17. While the identity of the threat actor remains unclear, Unit 42 said it observed correlations in tactics and tooling between the attacker and that of Emissary Panda (aka APT27, TG-3390, BRONZE UNION, Iron Tiger, or LuckyMouse).
Microsoft, which is also independently tracking the same campaign, tied it to an emerging threat cluster "DEV-0322" that's operating out of China and has been previously detected exploiting a zero-day flaw in SolarWinds Serv-U managed file transfer service in July 2021. The Redmond-based company also pointed out the deployment of an implant called "Zebracon" that allows the malware to connect to compromised Zimbra email servers with the goal of retrieving additional instructions.
"Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately," CISA said, in addition to recommending "domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the 'NTDS.dit' file was compromised."