China-linked APT Group VANGUARD PANDA Uses a New Tradecraft in Recent Attacks
Cyber Security Threat Summary:
“CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors” (Security Affairs, 2023).
The group is using living-of-the-land (LOTL) techniques mixed with hands-on-keyboard activity to avoid detection from security products. Specifically, the group has been using ManageEngine Self-service Plus exploits to obtain initial access. From there they will drop custom webshells to achieve persistent access. They will then use LOTL techniques where an attacker uses tools that are already present in the environment, such as PowerShell or Windows Management Instrumentation (WMI) to move laterally.
“The malicious activity detailed in the detection included listing processes, network connectivity testing, gathering user and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over WMI.” reads the analysis published by the company. “VANGUARD PANDA’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.”
Security Officer Comments:
In the activity seen by Crowdstrike, the APT group executed multiple HTTP POST requests using a custom webshell masquerading as a legitimate file of ManageEngine ADSelfService Plus. The threat actors appear to have had deep knowledge of victim environments indicating they likely perform prior recon and enumeration before carrying out attacks. According to Crowdstrike, the attackers likely obtained/compromised administrator credentials prior to attacks, however, Crowdstrike did no find access log artifacts for CVE-2021-40539, but they pointed out that the Falcon sensor was only recently installed on the targeted host.
In September 2021, Zoho released a security patch to address an authentication bypass vulnerability, tracked as CVE-2021-40539, in its ManageEngine ADSelfService Plus. The company also warned the vulnerability was exploited in attacks in the wild. The vulnerability resides in the REST API URLs in ADSelfService Plus and could lead to remote code execution (RCE)
Due to not finding artifacts, it is believed the attackers did a good job of covering their tracks, deleting any signs of intrusion as they moved around. The hackers did however fail to clear out the generated Java source or compiled Class files revealing numerous webshells and backdoors employed in the same attack:
Suggested Correction(s):
The threat actors leveraged a vulnerable unpatched product (Zoho ManageEngine ADSelfService Plus) exposed on the Internet to gain initial access to victim networks before pivoting laterally. Organizations should look to prioritize patching as soon as they are available. Threat actors continue to quickly weaponize vulnerabilities in targeted attacks soon after their disclosure.
Link(s):
https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/
https://securityaffairs.com/147820/apt/vanguard-panda-novel-attacks.html