A Chinese nation-state actor known as Volt Typhoon has been discovered using never-before-seen techniques to target critical infrastructure. CrowdStrike, the cybersecurity company tracking the adversary under the name Vanguard Panda, revealed that the hacking group has been active since mid-2020 and employs unique tradecraft to maintain remote access to their targets.
According to CrowdStrike, Volt Typhoon consistently exploits ManageEngine Self-service Plus vulnerabilities to gain initial access. They then utilize custom web shells for persistent access and employ living-off-the-land (LotL) techniques for lateral movement within the compromised systems.
Volt Typhoon, also known as Bronze Silhouette, is a cyber espionage group from China that has previously targeted the U.S. government, defense organizations, and critical infrastructure entities.
This adversary relies on credentials and living-off-the-land techniques to remain stealthy and swiftly navigate through targeted environments," said Tom Etheridge, Chief Global Professional Services Officer at CrowdStrike, in an interview with The Hacker News. Analysis of the group's modus operandi reveals a strong focus on operational security, utilizing a wide range of open-source tools against a select number of victims to carry out long-term malicious activities.
The group has been described as one that "prefers web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives."
In one unsuccessful incident targeting an undisclosed customer, Volt Typhoon exploited the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server. They executed suspicious commands related to process enumeration and network connectivity. CrowdStrike noted that the attacker displayed familiarity with the target environment, executing rapid commands and having specific internal hostnames, IP addresses, remote shares, and plaintext credentials.
Further investigation of the Tomcat access logs unveiled multiple HTTP POST requests to /html/promotion/selfsdp.jspx, which is a web shell disguised as a legitimate identity security solution to evade detection. The deployment of this web shell occurred approximately six months prior to the hands-on-keyboard activity, indicating extensive reconnaissance of the target network.
The exact method used by Vanguard Panda to breach the ManageEngine environment remains unclear, but evidence suggests the exploitation of CVE-2021-40539, a critical authentication bypass flaw leading to remote code execution. The threat actor attempted to delete artifacts and tamper with access logs to obscure the forensic trail. However, they overlooked Java source and compiled class files generated during the attack, leading to the discovery of additional web shells and backdoors.
One of these backdoors is a JSP file likely obtained from an external server. It backdoors "tomcat-websocket.jar" by utilizing a remotely fetched ancillary JAR file called "tomcat-ant.jar" through a web shell. Cleanup actions are performed to conceal the attack.
The trojanized version of tomcat-websocket.jar contains three new Java classes (A, B, and C). A.class acts as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.
"The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP [tactics, techniques, and procedures] in use by Vanguard Panda," stated CrowdStrike. They expressed moderate confidence that the implant serves to "enable persistent access to high-value targets after the initial access phase of operations using zero-day vulnerabilities."
Etheridge emphasized that Vanguard Panda had an advanced understanding of the victim's environment, indicating their persistence and ability to evade detection during reconnaissance efforts. He added, "Additionally, it moved evidence, covering their tracks as they moved deeper into the victim's infrastructure."
Implementing robust security measures, patch management, and comprehensive logging is crucial to protect against such advanced threat actors.
Comments
Post a Comment