Attackers targeted a recently patched, critical-severity flaw in ManageEngine ADSelfService Plus in order to exfiltrate data from nine entities across the technology, defense, healthcare, energy and education sectors.
The known authentication bypass flaw (CVE-2021-40539) exists in ADSelfService Plus, a self-service password management and single sign-on solution from ManageEngine, a division of Zoho. Patches for the vulnerability were issued on Sept. 7, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 16 released an alert warning that the flaw was being actively exploited by advanced persistent threat (APT) actors.
In a new report on Sunday, researchers with Palo Alto Networks’ Unit 42 team said they have observed a second, unrelated campaign carry out successful attacks against the same flaw. As part of this campaign, attackers leveraged leased infrastructure in the U.S. in order to scan hundreds of organizations across the internet as early as Sept. 17 - and then, on Sept. 22 exploitation attempts began and continued into early October. As part of these attacks, researchers observed a new credential-stealing tool being deployed on victims’ domain controllers called KdcSponge.
“Unit 42 believes that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” said Robert Falcone, Jeff White and Peter Renals, security researchers with Unit 42. “The threat actor gathered sensitive files to a staging directory and created password-protected multi-volume RAR archives in the Recycler folder. The actor exfiltrated the files by directly downloading the individual RAR archives from externally facing web servers.”
The attackers utilized the vulnerability to gain an initial foothold on organizations. From there, researchers observed them uploading a payload to victims’ networks, which then installed Godzilla, a webshell with more functionality and a higher level of network evasion than other webshells used by regional threat groups, such as China Chopper, said researchers. The Godzilla webshell, which is publicly available for download on GitHub, parses inbound HTTP POST requests, decrypts the content and executes the payload, allowing attackers to keep code that’s likely to be flagged as malicious at bay until they are ready to execute it.
"KdcSponge will capture the domain name, username and password to a file on the system that the threat actor would then exfiltrate manually through existing access to the server."
In a smaller subset of attacks, researchers also observed a modified version of a backdoor called NGLite, an open-source backdoor written in the Go language that is described by its author as an “anonymous cross-platform remote control program based on blockchain technology.” The backdoor works by leveraging what researchers say is a “very uncommon” tactic for its command-and-control (C2) channel - using New Kind of Network (KNK) infrastructure, a legitimate networking service that relies on blockchain technology to support a decentralized network.
The attackers utilized either Godzilla or NGLite to run commands and move laterally through the network, while also exfiltrating data. As part of this data exfiltration effort, researchers observed KdcSponge being deployed on victims’ domain controllers. The tool works by injecting itself into the Local Security Authority Subsystem Service (LSASS), which is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. From there, it hooks specific functions (KdcVerifyEncryptedTimeStamp, KerbHashPasswordEx3 and KerbFreeKey) for gathering usernames and passwords from accounts attempting to authenticate to the domain via Kerberos.
“The malicious code writes stolen credentials to a file but is reliant on other capabilities for exfiltration,” said researchers. "KdcSponge will capture the domain name, username and password to a file on the system that the threat actor would then exfiltrate manually through existing access to the server."
Researchers said that attribution for the campaign is still ongoing and they have been unable to validate the attacker. However, they did observe some correlations between the tactics and tooling used in this campaign and those used by APT27 (also known as TG-3390 or Emissary Panda), a Chinese cyberespionage threat group that’s been around since 2010.
“Specifically… we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,” they said. “While the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.”
Organizations are urged to update to the latest build of ADSelfService Plus, 6114, which fixes the vulnerability.
“FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114,” according to CISA in its September advisory. “Additionally, FBI, CISA, and CGCYBER strongly urge organizations to ensure ADSelfService Plus is not directly accessible from the internet.”