The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access and Living-off-the-Land (LotL) techniques for lateral movement. Another name for this threat is Vanguard Panda.[1]
See: https://redskyalliance.org/xindustry/living-off-the-land-lotl
Volt Typhoon, known as Bronze Silhouette, is a cyber espionage group from China linked to network intrusion operations against the US government, defense, and other critical infrastructure organizations. A recent analysis of the group's operations has revealed its emphasis on operational security, carefully using an extensive set of open-source tools against a limited number of victims to carry out long-term malicious acts. It has been further described as a threat group that "favors web shells for persistence and relies on short bursts of activity primarily involving Living-off-the-Land binaries to achieve its objectives."
In one unsuccessful incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands about process enumeration and network connectivity, among others. Vanguard Panda's actions indicated a familiarity with the target environment due to the rapid succession of their commands and having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for Windows Management Instrumentation or WMI.
The malicious use of WMI and other legitimate tools grew and was identified as a top trend. Like PowerShell, WMI is often used to create file-less attacks that are difficult to identify and stop by technology alone. This makes WMI a perfect tool for threat actors to use as camouflage while active inside an organization
A closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell camouflaged as the legitimate identity security solution to sidestep detection. The web shell is believed to have been deployed nearly six months before the hands-on-keyboard activity, indicative of extensive prior recon of the target network.
While it is not immediately clear how Vanguard Panda breached the ManageEngine environment, all signs point to the exploitation of CVE-2021-40539, a critical authentication bypass flaw with resultant remote code execution. It is suspected that the threat actor deleted artifacts and tampered with the access logs to obscure the forensic trail. In a glaring misstep, the process failed to account for Java source and compiled class files generated during the attack, leading to the discovery of more web shells and backdoors.
This includes a JSP file that is likely retrieved from an external server and which is designed to backdoor "tomcat-websocket.jar" by making use of an ancillary JAR file called "tomcat-ant.jar" that's also fetched remotely using a web shell, after which cleanup actions are performed to cover up the tracks.
The trojanized version of tomcat-websocket.jar is fitted with three new Java classes: A, B, and C, with A.class functioning as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands. The use of a back-doored Apache Tomcat library is a previously undisclosed persistence TTP in use by Vanguard Panda.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://thehackernews.com/2023/06/chinese-hackers-using-never-before-seen.html
Comments