NSA Reports: Espionage Group Breaches Critical Systems9 Victims of Zoho Bug Include Defense, Energy and Healthcare
Threat actors have breached critical systems internationally by exploiting a recently patched vulnerability in Zoho’s ManageEngine product ADSelfService Plus, according to researchers at cybersecurity firm Palo Alto Networks' Unit 42. The research report was published in collaboration with the National Security Agency's Cybersecurity Collaboration Center.
The attackers, likely a Chinese threat group, leveraged leased infrastructure in the U.S. to scan hundreds of vulnerable organizations across the internet that had not patched their systems with the fix released for CVE-2021-40539, according to Unit 42.
On Wednesday, CISA issued a directive called "Binding Operational Directive 22-01 to reduce the "significant risk of known exploited vulnerabilities" to all federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems, and planned to catalog known exploited vulnerabilities. It sets a deadline of Nov. 17 for all federal agencies to fix the CVE-2021-40539 vulnerability and apply the patch, according to the current catalog.
The directive calls for all federal departments and agencies to update affected technology or software listed - if used - within a stipulated period. (see: CISA Directs Federal Agencies to Patch Known Vulnerabilities).
Victims of Zoho
The Zoho campaign, which began on Sept. 17, is reported to have continued until the first half of October and compromised at least nine unidentified global entities across technology, defense, healthcare, energy and educational sectors. The bad actors have targeted at least 370 Zoho ManageEngine servers in the U.S. alone, the researchers say.
The identified victims are believed to be just the "tip of the spear," with more expected to emerge soon, Ryan Olson, a senior Palo Alto Networks executive, told news platform CNN. Only one of the confirmed victims is a U.S. company, he adds.
With espionage as the primary motive, "hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks," Olson told CNN.
The tactics and tools used in the campaign, based on the researchers' analysis of the code signatures and payloads, likely belong to Chinese Threat Group 3390, also known as TG-3390, Emissary Panda and APT27, the blog post says.
"We can see that TG-3390 used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller," the researchers say. Although the webshells and exploits may seem different, the extraction tools used once the threat actors achieved access into the victim's environment were similar, they add.
Following initial exploitation of the CVE-2021-40539 vulnerability, the threat actor deploys a payload that installs a Godzilla webshell in the victim's system, according to the researchers. The functionally rich webshell then parses inbound HTTP POST requests, decrypts the data with a secret key, executes the decrypted content to carry out additional functionality and returns the result via a HTTP response, they add.
While Godzilla was deployed consistently in all victim systems, a small subset of compromised organizations received a modified version of a new backdoor called NGLite, the researchers say.
The threat actors used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while exfiltrating files of interest simply by downloading them from the web server, the researchers note.
Finally, after gaining access to the domain controllers, the threat actors deploy KdcSponge, a novel credential-stealing tool. The researchers say, "KdcSponge injects itself into the Local Security Authority Subsystem Service process and hooks specific functions to gather usernames and passwords from accounts attempting to authenticate to the domain via Kerberos."
Cybersecurity firm SophosLabs shared on Sunday that it has received reports from customers saying that threat actors were exploiting the Zoho ManageEngine ADSelfServicePlus vulnerability.
⚠️We've received reports from multiple customers that one or more threat actors are exploiting a vulnerability in Zoho ManageEngine ADSelfServicePlus (CVE-2021-40539) in ongoing attacks.— SophosLabs (@SophosLabs) November 6, 2021
If you use this product, please check Zoho's KB here for a fix: https://t.co/mgob8Lx7xR
Rob Joyce, director of cybersecurity for the U.S. National Security Agency, urges customers to review the Unit 42 blog post for indicators of compromise and safeguard themselves.
Review this blog and check your networks for IOCs related to this ongoing malicious activity. Actionable threat sharing among public-private partners makes a difference against adversary intrusions. Good work by all involved! https://t.co/uLEtkrPGNf— Rob Joyce (@NSA_CSDirector) November 8, 2021
Zoho had earlier released ADSelfService Plus build 6114 to fix the issue.
Defense contractors are a recurring target for foreign adversaries, as was witnessed earlier this year.
When the ManageEngine vulnerability first came to light, the Cybersecurity and Infrastructure Security Agency, in a September alert, noted that advanced persistent threat actors were actively exploiting newly identified vulnerabilities in self-service password management solution ManageEngine ADSelfService Plus and that defense contractors were being targeted by the threat actors. (see: US Warns Nation-State Groups May Exploit Flaw in Zoho Tool).
"Any company doing business with the Pentagon could have a range of data in their emails about defense contracts that could be of interest to foreign spies. In aggregate, access to that information can be really valuable," Olson told CNN. And he said that doesn't mean just classified information: "Even if it's just information about how the business is doing, it is valuable."