Zoho’s ManageEngine Password Manager Flaw Torched by Godzilla Webshell

Researchers have spotted a second, worldwide campaign exploiting the ManagedEngine SelfServiceAD Plus zero-day: one that’s breached defense, energy and healthcare organizations.

A new campaign is prying apart a known security vulnerability in the Zoho ManageEngine ADSelfService Plus password manager, researchers warned over the weekend. The threat actors have managed to exploit the Zoho weakness in at least nine global entities across critical sectors so far (technology, defense, healthcare, energy and education), deploying the Godzilla webshell and exfiltrating data.

On Sunday, Palo Alto Network’s Unit 42 researchers said that the targeted cyberespionage campaign is distinct from the ones that the FBI and CISA warned about in September.

The bug is a critical authentication bypass flaw – CVE-2021-40539 – that allows unauthenticated remote code execution (RCE). Zoho patched the vulnerability in September, but it’s been actively exploited in the wild starting at least as early as August when it was a zero-day, opening the corporate doors to attackers who can run amok as they get free rein across users’ Active Directory (AD) and cloud accounts.

Infosec Insiders Newsletter

Consequences of a successful exploit can be significant: The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application that can act as a convenient point-of-entry to areas deep inside an enterprise’s footprint, for both users and attackers alike.

CISA’s alert explained that in the earlier attacks,  state-backed, advanced persistent threats (APTs) were deploying a specific webshell and other techniques to maintain persistence in victim environments.

Nine days after the CISA alert, Unit 42 researchers saw yet another, unrelated campaign kick off starting on Sept. 17, as a different actor started scanning for unpatched servers. On Sept. 22, after five days of harvesting data on potential targets, exploitation attempts started up and likely continued into early October.

Unit 42 researchers believe that the actor more or less indiscriminately targeted unpatched servers across the spectrum, from education to the Department of Defense, with scans of at least 370 Zoho ManageEngine servers in the U.S. alone.

“While we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised.” they said.

Godzilla Webshell Does Some Heavy Lifting

Unit 42 said that after threat actors exploited CVE-2021-40539 to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla webshell.

The actor uploaded several Godzilla variations to compromised servers and planted some new malware tools as well, including a custom Golang-based open-source backdoor called NGLite and a new credential-stealer that Unit 42 is tracking as KdcSponge.

“The threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server,” according to the analysis. After the actors pivoted to a domain controller, they installed the new KdcSponge stealer, which is designed to harvest usernames and passwords from domain controllers as accounts attempt to authenticate to the domain via Kerberos.

Both Godzilla and NGLite are written in Chinese and are free for the taking on GitHub.

“We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,” Unit 42 surmised. The researchers described Godzilla as something of a multi-function pocket knife of a webshell, noting that it “parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.”

As such, attackers can refrain from inflicting targeted systems with code that’s likely to be flagged as malicious until they’re ready to dynamically execute it, researchers said.

Using NKN to Communicate Is an Eye-Opener

“NGLite is characterized by its author as an ‘anonymous cross-platform remote control program based on blockchain technology,'” United 42 researchers Robert Falcone, Jeff White and Peter Renals explained. “It leverages New Kind of Network (NKN) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.”

The researchers noted that using NKN – a legitimate networking service that uses blockchain technology to support a decentralized network of peers – for a C2 channel is “very uncommon.”

“We have seen only 13 samples communicating with NKN altogether – nine NGLite samples and four related to a legitimate open-source utility called Surge that uses NKN for file sharing.”

Threat Actor Shares TTPs with Emissary Panda

Unit 42 said the identity of the threat actor is unclear, but researchers saw correlations in tactics and tooling between the attacker and that of Threat Group 3390, aka Emissary Panda, APT27, Bronze Union and LuckyMouse), an APT that’s been around since 2013 and which is believed to operate from China.

“Specifically, as documented by SecureWorks in an article on a previous TG-3390 operation, we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,” Unit 42 said. “While the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.”

110921 08:51 UPDATE: Microsoft said on Monday that it’s attributing this campaign with high confidence to DEV-0322, a group operating out of China, “based on observed infrastructure, victimology, tactics, and procedures.”

Microsoft’s Threat Intelligence Center (MSTIC) has previously detected DEV-0322 taking part in attacks targeting the SolarWinds Serv-U software, which had a zero day – CVE-2021-35211, a remote memory escape – that SolarWinds patched in July.

MSTIC researchers said that the attacks in this new round of beating up Zoho password manager are installing a custom IIS module. IIS, or Internet Information Services, is an extensible web server software created by Microsoft for use with the Windows NT family.

Besides the custom IIS module, DEV-0322 also deployed a trojan that MSTIC is calling Trojan:Win64/Zebracon that uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.

In its Sept. 16 alert, CISA recommended that organizations that spot indicators of compromise related to ManageEngine ADSelfService Plus should “take action immediately.”

Also, CISA strongly recommended domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets, “if any indication is found that the NTDS.dit file was compromised.”

Classic Cyberespionage Targets: Healthcare and Energy

If the actor behind this second Zoho-focused campaign does turn out to be a Chinese APT, it won’t be surprising, some said. Dave Klein, cyber evangelist and director at Cymulate, pointed to the People’s Republic of China (PRC) having a well-documented, continued interest in healthcare and energy infrastructure data.

He pointed to the 2015 breach of the U.S. Office of Personnel Management (OPM) as an example. The massive breach was overwhelmingly attributed to the PRC. It included exquisitely sensitive information, including millions of federal employees’ fingerprints, Social Security numbers, dates of birth, employee performance records, employment history, employment benefits, resumes, school transcripts, military service documentation and psychological data from interviews conducted by background investigators.

“The PRC got into clearance background information data including very sensitive information. Subsequently in that case they were looking for weaknesses in US classified personnel – which would include health hardships – either personally or related to them,” Klein told Threapost via email on Monday.

He noted that following the OPM breach, some healthcare agencies were subsequently breached, including Anthem Health: an attack that affected more than 78 million people. “The interest in healthcare data globally continues not only for espionage purposes against targets – building an inventory of hardships/weak points as well as seeking out healthcare data to better serve their local industries,” Klein noted. “On energy, the interest is both on stealing industrial espionage information as well as to set up compromises in critical infrastructures for potential use in cases of future hostilities.”

If Patching Isn’t Mandatory, a Breach Is a Given

Mike Denapoli, lead security architect at Cymulate, added that well-documented (and patched) vulnerabilities in massively popular platforms like Microsoft Exchange and MangeEngine are ripe fruit for threat actors to pluck. Organizations that can’t or won’t patch are sitting ducks, he said.

“For whatever the reasons may be (downtime avoidance, fear over patches disrupting workflows, etc.), attackers know these systems are vulnerable, and are making sure to take advantage of any organization that doesn’t keep patching updated,” Denapoli told Threatpost. “We have reached the point where patching is a must – within a reasonable amount of time – and needs to be performed. While you don’t have to patch immediately, you must patch regularly. Downtime is mandatory. Testing is mandatory. If not, then a breach is mandatory.”

Image courtesy of AlphaCoders.

110821 12:24 UPDATE: Added input from Mike Denapoli and Dave Klein.

Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.

Suggested articles