APT

China-linked APT group VANGUARD PANDA uses a new tradecraft in recent attacks

China-linked APT group VANGUARD PANDA, aka Volt Typhoon, was spotted observing a novel tradecraft to gain initial access to target networks.

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

Crowdstrike reported that the group employed ManageEngine Self-service Plus exploits to gain initial access, then the attackers rely on custom webshells to achieve persistent access, and living-off-the-land (LOTL) techniques for lateral movement.

In one of the attacks blocked by the security firm, the APT group targeted a Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server.

“The malicious activity detailed in the detection included listing processes, network connectivity testing, gathering user and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over WMI.” reads the analysis published by the company. “VANGUARD PANDA’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.”

The analysis of the Apache Tomcat access logs revealed the execution of multiple HTTP POST requests to /html/promotion/selfsdp.jspx, which is a web shell used by the threat actors.

Crowdstrike reported that the webshell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software.

The researchers believe that the VANGUARD PANDA group had a deep knowledge of the target environment clearly obtained by performing extensive prior recon and enumeration.

The attackers likely prior obtained/compromised administrator credentials, however, Crowdstrike did no find access log artifacts for CVE-2021-40539, but they pointed out that the Falcon sensor was only recently installed on the targeted host.

In September 2021, Zoho released a security patch to address an authentication bypass vulnerability, tracked as CVE-2021-40539, in its ManageEngine ADSelfService Plus. The company also warned the vulnerability was exploited in attacks in the wild.

The vulnerability resides in the REST API URLs in ADSelfService Plus and could lead to remote code execution (RCE)

The absence of artifacts demonstrating the exploitation of the above issue in the attack analyzed by Crowdstrike demonstrates that attackers have attempted to cover their tracks.

VANGUARD PANDA hackers failed to clear out the generated Java source or compiled Class files revealing numerous webshells and backdoors employed in the same attack. 

Below is the attack chain employed by the attackers:

  • Use webshell to retrieve ListName.jsp from a remote source, and place in web server directory
  • Use webshell to retrieve tomcat-ant.jar from a remote source and move to C:/users/public/ Use webshell to copy tomcat-websocket.jar out of the Apache Tomcat library directory into C:/users/public
  • Make an HTTP GET request to ListName.jsp, which would move A, B, and C classes from tomcat-ant.jar to tomcat-websocket.jar
  • Use webshell to replace the tomcat-websocket.jar in the Apache Tomcat library with the backdoored version
  • Cleanup (Delete JARs out of C:/users/public, Delete ListName.jsp out of the web server directory, Clear Apache Tomcat access logs)

“The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by VANGUARD PANDA. This backdoor was likely used by VANGUARD PANDA to enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VANGUARD PANDA)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Apple, Oracle Agile PLM bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple, Oracle Agile PLM bugs to its…

22 hours ago

More than 2,000 Palo Alto Networks firewalls hacked exploiting recently patched zero-days

Threat actors already hacked thousands of Palo Alto Networks firewalls exploiting recently patched zero-day vulnerabilities.…

1 day ago

Ransomhub ransomware gang claims the hack of Mexican government Legal Affairs Office

Mexico is investigating a ransomware attack targeting its legal affairs office, as confirmed by the…

2 days ago

US DoJ charges five alleged members of the Scattered Spider cybercrime gang

The U.S. Justice Department charged five suspects linked to the Scattered Spider cybercrime gang with…

2 days ago

Threat actor sells data of over 750,000 patients from a French hospital

A threat actor had access to electronic patient record system of an unnamed French hospital,…

2 days ago

Decade-old local privilege escalation bugs impacts Ubuntu needrestart package<gwmw style="display:none;"></gwmw>

Decade-old flaws in the needrestart package in Ubuntu Server could allow local attackers to gain…

2 days ago

This website uses cookies.