Cybersecurity experts from Palo Alto Networks warned of an ongoing cyberespionage campaign that has breached nine global organisations.
- The cyberespionage group compromised at least nine organisations worldwide from critical sectors, including defence, energy, healthcare, and technology.
- Threat actors exploited a critical vulnerability, tracked as CVE-2022-40539, in the Zoho ManageEngine ADSelfService Plus software.
- The attack began in mid-September and continued in October.
- According to a report, the attack targeted 370 Zoho ManageEngine servers in the United States alone.
Cybersecurity experts from Palo Alto Networks warned of an ongoing cyberespionage campaign that has breached nine global organisations.
Threat actors exploited a critical vulnerability, tracked as CVE-2021-40539, in the Zoho ManageEngine ADSelfService Plus software, self-service password management and a single sign-on solution. The vulnerability resides in the REST API URLs in ADSelfService Plus and could lead to remote code execution (RCE).
“As early as Sept. 17, the actor leveraged lease infrastructure in the United States to scan hundreds of vulnerable organisations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defence, healthcare, energy and education industries.” reads the analysis published by Palo Alto Networks.
“Following initial exploitation, a payload was uploaded to the victim network which installed a Godzilla web shell.”
The analysis of the global telemetry from Palo Alto Networks revealed that attackers targeted at least 370 Zoho ManageEngine servers in the United States alone.
After successfully getting a foothold on their victims’ systems using CVE-2021-40539 exploits, the threat actors first deployed a malware dropper that delivered Godzilla web shells on compromised servers to gain and maintain access to the victims’ networks, as well as malware, including an open-source backdoor known as NGLite.
They also used KdcSponge, malware known as credential stealer, which hooks into Windows LSASS API functions to steal credentials (i.e., domain names, usernames, and passwords) that later get sent to attacker-controlled servers.
After gaining entry to the initial server, the actors directed their efforts on gathering and exfiltrating sensitive information from local domain controllers, such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry.
“Ultimately, the actor was interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration.”
While experts have yet to attribute the campaign to a specific threat actor, they observed some similarities between the TTPs associated with Threat Group 3390 (TG-3390, Emissary Panda, APT27, Bronze Union, and Lucky Mouse).
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?