A new campaign by researchers this week revealed that Zoho Management Engine AD Personal Service A known security vulnerability is being exploited in Tok Plus Password Manager. He warned.
Threat actors have so far attacked critical sectors (technology, defense, health, nu strengths and knowledge) in at least nine global companies that can apply Zoho risks. There is.
Table of Contents
The activities of cyber espionage.
More targeted than the FBI and CISA reports on September 9 “It’s different from cyber espionage campaigns,” said Palo Alto Cyber Group42. investigators said.
This is a Critical Authentication Bypass Flaw – CVE-2021-40539 – Unauthorized Remote Code Handle Receipt enabler (RCE).
Zoho patched the vulnerability in September. This vulnerability was exploited when Zero Day occurred in August.
Platform Control
In the 20th century, the country’s economy was increasingly becoming vulnerable to violent crime in the country. From mission-critical applications (and similar applications) on sensitive platform data through AD) and from many other parts of the enterprise network.
In other words, a convenient entry point into the corporate environment for both users and attackers It is a powerful and privileged practice that can come from.
The advanced, state-backed threat of a previous attack on the Special webshells and other mechanisms have been deployed to survive in the victim’s environment. explains the CISA alert.
Data Collection
Nine days after the CISA Unit 42 alert, researchers found another unrelated campaign was seen on September 17th, which was rejected by other players. The servers started tracking. After collecting information about vulnerable targets on September 22 It started five days later and continued until early October.
Researchers believe attackers are aiming within the spectrum. U.S. Department of Defense from Education. It detects at least 370 Zoho Management Machine servers in the US alone.
We have no idea how many agents were used in this campaign, but the technology and At least nine companies in the defense, health, energy and education industries are believed to have been affected.
Godzilla Webshell can do the heavy lifting.
Team 42 says that vulnerable players exploit an exploit of CVE-2021-40539 Soon after receiving the RCE, take unilateral action and spread malware. theye said, “It’s not like that. Specifically, it depends on the publicly available Godzilla Webshell.
Players upload various Godzilla formats to compromised servers Software including AngelLite, a custom globe-based open backdoor New tools of evil have been installed and new certificates are being stolen as sponges on Unit 42 KDC. It was.
Collection is different.
According to this analysis, threat actors use commands to execute It will go to other systems on the side network using Webshell or Angelite Payload.
The player dials the domain controller and installs the new KDC Sponge Thief Yes, that is, when the account attempts to authenticate to the domain via Kerberos, the domain Designed to save the controller’s username and password.
China
Godzilla and NNGlite are written in Chinese and are free on GitHub .
We maintain interesting networks of these tools by threat actors. It is believed to have been used by Nine,” the 42nd Unit said.
Multipurpose pocket knife.
Researchers description of Godzilla as a webshell multi-purpose pocket knife Running it “parses incoming HTTP POST requests and finds the secret key and Together, the data is encrypted.
Therefore, code running on a target system that can be identified as malicious by an attacker can་. Unless they’re not prepared to work fast enough. by the researchers.
Using NKN in communications.
Unite42 researchers Robert Falcone, Jeff White and Peter Renals: Types of networks for communication and control. It’s a new one, the author recommends. ). Manage Infrastructure This is theoretically anonymous to users.
The researchers found that NKN, a legitimate internet service, provides a decentralized peer-to-peer network. The use of blockchain technology to support the C2 channel is called “the cloud.” “It’s different,” he said.
“We only see 13 examples of communication with NKN. Nine examples are NNGlite and four examples are files. “It’s linked to Surge, a legitimate open source platform that uses NKN for transactions.”
Threat actors exchange TTP with Messenger Panda.
Unit 42 confirmed that the identities of the threat actors were unclear. The strategy between APTs and 3390 vulnerability groups available from China after 2013 and tools were found to be related.
Specifically, prior to the implementation of TG3390, as stated by the Department of Defense in the accounting, e TG 3390 was initially used by other popular websites and Chinese scammers. were found to have been used. movements and attacks against territorial control,” the 42nd Division explained.
Collection is different.
“Webshells and vulnerabilities are different, but when an actor gains access to an environment “We also see overlap in some of the filter tools.”
On September 16, 2013, CISA discovered indications of a compromise related to Engine Management AD Self Service Plus. Units were advised to “take immediate action.”
In addition, CISA resets domain-wide passwords and Kerberos Ticket Granting Ticket (TGT) passwords when Two resets are recommended.