Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked APT group VANGUARD PANDA uses a new tradecraft in recent attacks

China-linked APT group VANGUARD PANDA, aka Volt Typhoon, was spotted observing a novel tradecraft to gain initial access to target networks. CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 […]

China-linked APT Salt Typhoon

China-linked APT group VANGUARD PANDA, aka Volt Typhoon, was spotted observing a novel tradecraft to gain initial access to target networks.

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

Crowdstrike reported that the group employed ManageEngine Self-service Plus exploits to gain initial access, then the attackers rely on custom webshells to achieve persistent access, and living-off-the-land (LOTL) techniques for lateral movement.

In one of the attacks blocked by the security firm, the APT group targeted a Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server.

“The malicious activity detailed in the detection included listing processes, network connectivity testing, gathering user and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over WMI.” reads the analysis published by the company. “VANGUARD PANDA’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.”

The analysis of the Apache Tomcat access logs revealed the execution of multiple HTTP POST requests to /html/promotion/selfsdp.jspx, which is a web shell used by the threat actors.

Crowdstrike reported that the webshell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software.

The researchers believe that the VANGUARD PANDA group had a deep knowledge of the target environment clearly obtained by performing extensive prior recon and enumeration.

The attackers likely prior obtained/compromised administrator credentials, however, Crowdstrike did no find access log artifacts for CVE-2021-40539, but they pointed out that the Falcon sensor was only recently installed on the targeted host.

In September 2021, Zoho released a security patch to address an authentication bypass vulnerability, tracked as CVE-2021-40539, in its ManageEngine ADSelfService Plus. The company also warned the vulnerability was exploited in attacks in the wild.

The vulnerability resides in the REST API URLs in ADSelfService Plus and could lead to remote code execution (RCE)

The absence of artifacts demonstrating the exploitation of the above issue in the attack analyzed by Crowdstrike demonstrates that attackers have attempted to cover their tracks.

VANGUARD PANDA hackers failed to clear out the generated Java source or compiled Class files revealing numerous webshells and backdoors employed in the same attack. 

Below is the attack chain employed by the attackers:

  • Use webshell to retrieve ListName.jsp from a remote source, and place in web server directory
  • Use webshell to retrieve tomcat-ant.jar from a remote source and move to C:/users/public/ Use webshell to copy tomcat-websocket.jar out of the Apache Tomcat library directory into C:/users/public
  • Make an HTTP GET request to ListName.jsp, which would move A, B, and C classes from tomcat-ant.jar to tomcat-websocket.jar
  • Use webshell to replace the tomcat-websocket.jar in the Apache Tomcat library with the backdoored version
  • Cleanup (Delete JARs out of C:/users/public, Delete ListName.jsp out of the web server directory, Clear Apache Tomcat access logs)

“The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by VANGUARD PANDA. This backdoor was likely used by VANGUARD PANDA to enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VANGUARD PANDA)