Security researchers have warned of a new Chinese hacking campaign using a known flaw in the Zoho ManageEngine ADSelfService Plus password manager to steal data.
Hackers gained initial access to targeted organizations by exploiting a recently patched vulnerability in Zoho’s ManageEngine product, ADSelfService Plus, tracked in CVE-2021-40539, according to researchers at Palo Alto Network’s Unit 42.
Researchers added this campaign is separate from one described in a US Cybersecurity and Infrastructure Security Agency (CISA) advisory published in September.
The flaw, CVE-2021-40539, allows for REST API authentication bypass with resultant remote code execution in vulnerable devices. The Zoho patched the flaw in September.
In this campaign, hackers used leased infrastructure in the US to scan hundreds of vulnerable organizations across the internet. Researchers said exploitation attempts began on September 22 and continued into early October. During that window, the actor successfully compromised at least nine global entities in the technology, defense, health care, energy, and education industries.
After the initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell.
“This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite,” said researchers.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
Hackers then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network while they exfiltrated files of interest simply by downloading them from the web server.
“Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge,” said researchers.
Researchers said Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub.
“We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,” researchers added.
Researchers said the hackers' main goal was to gain persistent access to the network and gather and exfiltrate sensitive documents from the compromised organization.
“The threat actor gathered sensitive files to a staging directory and created password-protected multi-volume RAR archives in the Recycler folder. The actor exfiltrated the files by directly downloading the individual RAR archives from externally facing web servers,” researchers added.
-
Russian hackers are using an old Cisco flaw to target network devices – here’s how you can stay safeNews With the aim of carrying out espionage, Russia's Center 16 is targeting infrastructure organizations around the world
-
Advania acquires Gompute to bolster AI and HPC capabilitiesNews Gompute customers will be able to leverage Advania’s broader AI capabilities, resources, and local expertise across Northern European markets
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Passwords are a problem: why device-bound passkeys can be the future of secure authenticationIndustry insights AI-driven cyberthreats demand a passwordless future…
-
LastPass just launched a tool to help security teams keep tabs on shadow IT risksNews Companies need to know what apps their employees are using, so LastPass made a browser extension to help
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
The NCSC wants you to start using password managers and passkeys – here’s how to choose the best optionsNews New guidance from the NCSC recommends using passkeys and password managers – but how can you choose the best option? ITPro has you covered.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
