Skip links

You’ll never guess who’s been exploiting the ManageEngine service to steal passwords

Palo Alto Networks’ Unit 42 research team has said criminals using tools accompanied by Chinese instructions gained access to high-interest networks and stole passwords after exploiting at least 370 password management services in the US.

“As early as September 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet,” wrote Unit 42. “Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October.”

Unit 42 said that between September and October, the miscreant successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.

The vulnerability exploited by the attackers was originally reported by the Cybersecurity and Infrastructure Security Agency (CISA), which issued an alert on 16 September. An unrelated group of cyber actors had exploited the vulnerability in the same password management service, Zoho Group’s ManageEngine ADSelfServicePlus, as early as August 2021.

“Advanced persistent threat (APT) cyber actors have targeted academic institutions, defence contractors, and critical infrastructure entities in multiple industry sectors – including transportation, IT, manufacturing, communications, logistics, and finance,” warned CISA.

The attackers uploaded .zip files with a JavaServer Pages (JSP) webshell disguised as an x509 certificate and made subsequent requests to various API endpoints to further exploit compromised systems. The attackers then moved laterally using Windows Management Instrumentation (WMI), gained access to a domain controller, and exfiltrated registry hive and Active Directory files. The crims hid their tracks by running clean-up scripts.

Zoho Corp issued a fix 10 days prior to the announcement on 6 September, but the attacks had been active as early as August 2021, so a good amount of damage was done.

Within days Unit 42 identified an unrelated campaign that attacked the same vulnerability. The research team believes the scans were indiscriminate in nature.

The new team of crims gifted their victims a Godzilla webshell, with some also receiving a backdoor called NGLite. The pair are publicly available on GitHub and are believed to be operated together as a form of redundancy. Once one or the other was used to run commands, the attackers moved laterally onto the network where they could find the files they wanted and directly download them from the server. Then the attackers installed a new password-stealing tool called KdcSponge.

Unit 42 described Godzilla as a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality, and returns the result via an HTTP response, which allows attackers to keep code that could potentially be flagged as malicious off the target system until execution.

NGLIten, on the other hand, is described as an “anonymous cross-platform remote control program based on blockchain technology.” It leverages New Kind of Network (NKN) infrastructure for its command-and-control (C2) communications in order to remain anonymous. NKN is used legitimately for many reasons, but rarely as a C2 channel.

As for KdcSponge, it injects itself into the Local Security Authority Subsystem Service (LSASS) process, where it hooks undocumented functions to collect usernames and passwords from inbound Kerberos authentication attempts to the domain and records them in a file.

The identity of the threat actor remains a mystery. However, there are some similarities between this attack and Group-3390, also known as Emissary Panda, which is believed to operate from China. ®