How Chinese APT groups are exploiting Zoho ManageEngine vulnerabilities to spy on enterprises

In its latest investigation, Palo Alto Networks’ Unit 42 detailed how a group of unknown hackers has used a number of malicious tools to spy on enterprise networks in the U.S. after abusing at least 370 password management service implementations. A striking feature of these tools is that they are accompanied by instructions written in Chinese, which could be an indication of the origin of the attack.

The researchers note that these attacks were detected between September and October 2021, impacting organizations in the technology, healthcare, energy and defense industries. The attacks involved the exploitation of a vulnerability reported by the Cybersecurity and Infrastructure Security Agency (CISA), detected in the Zoho ManageEngine ADSelfServicePlus password management service.

The attack involved uploading ZIP files with a hidden JavaServer Pages (JSP) webshell as an x509 certificate, allowing hackers to make subsequent requests to various API endpoints for compromise of affected systems. The attackers then used Windows Management Instrumentation (WMI) to access a domain controller and extract files from Active Directory, as well as using cleanup tools to cover its tracks.

While the developer company released a patch just over a month ago, the attacks would have started as early as August 2021, so it was not possible to protect all organizations that use this password manager.

In another attack seemingly separate from this campaign, malicious hackers abused the password manager to deliver to victims the Godzilla web shell and the NGLite backdoor, both available on GitHub. A final stage of this attack involved the use of KdcSponge, a tool for password theft.

While experts mention that Godzilla is a webshell with all kinds of built-in functions, NGLite is described as an anonymous remote control platform based on blockchain technology. The combined use of both tools might sound redundant, although for the threat actors behind this campaign it seems to have proved functional.

There are some indications about the origin of this malicious activity, but it has not yet been possible to determine which hacking group is responsible. The experts concluded by mentioning that there are similarities between these attacks and those deployed by Emissary Panda, a hacker group operating out of China, although there is nothing confirmed.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.