China-linked APT group VANGUARD PANDA uses a new tradecraft in recent attacks

China-linked APT group VANGUARD PANDA, aka Volt Typhoon, was spotted observing a novel tradecraft to gain initial access to target networks.

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

Crowdstrike reported that the group employed ManageEngine Self-service Plus exploits to gain initial access, then the attackers rely on custom webshells to achieve persistent access, and living-off-the-land (LOTL) techniques for lateral movement.

In one of the attacks blocked by the security firm, the APT group targeted a Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server.

“The malicious activity detailed in the detection included listing processes, network connectivity testing, gathering user and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over WMI.” reads the analysis published by the company. “VANGUARD PANDA’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.”

The analysis of the Apache Tomcat access logs revealed the execution of multiple HTTP POST requests to /html/promotion/selfsdp.jspx, which is a web shell used by the threat actors.

Crowdstrike reported that the webshell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software.

The researchers believe that the VANGUARD PANDA group had a deep knowledge of the target environment clearly obtained by performing extensive prior recon and enumeration.

The attackers likely prior obtained/compromised administrator credentials, however, Crowdstrike did no find access log artifacts for CVE-2021-40539, but they pointed out that the Falcon sensor was only recently installed on the targeted host.

In September 2021, Zoho released a security patch to address an authentication bypass vulnerability, tracked as CVE-2021-40539, in its ManageEngine ADSelfService Plus. The company also warned the vulnerability was exploited in attacks in the wild.

The vulnerability resides in the REST API URLs in ADSelfService Plus and could lead to remote code execution (RCE)

The absence of artifacts demonstrating the exploitation of the above issue in the attack analyzed by Crowdstrike demonstrates that attackers have attempted to cover their tracks.

VANGUARD PANDA hackers failed to clear out the generated Java source or compiled Class files revealing numerous webshells and backdoors employed in the same attack. 

Below is the attack chain employed by the attackers:

• Use webshell to retrieve ListName.jsp from a remote source, and place in web server directory
• Use webshell to retrieve tomcat-ant.jar from a remote source and move to C:/users/public/ Use webshell to copy tomcat-websocket.jar out of the Apache Tomcat library directory into C:/users/public
• Make an HTTP GET request to ListName.jsp, which would move A, B, and C classes from tomcat-ant.jar to tomcat-websocket.jar
• Use webshell to replace the tomcat-websocket.jar in the Apache Tomcat library with the backdoored version
• Cleanup (Delete JARs out of C:/users/public, Delete ListName.jsp out of the web server directory, Clear Apache Tomcat access logs)

“The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by VANGUARD PANDA. This backdoor was likely used by VANGUARD PANDA to enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VANGUARD PANDA)