SoylentNews

Arthur T Knackerbracket has processed the following story:

Cybersecurity firm Palo Alto Networks warned over the weekend of an ongoing hacking campaign that has already resulted in the compromise of at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.

To breach the orgs networks, the threat actors behind this cyberespionage campaign exploited a critical vulnerability (CVE-2021-40539) in Zoho's enterprise password management solution known as ManageEngine ADSelfService Plus which allows remotely executing code on unpatched systems without authentication.

The attacks observed by Palo Alto Networks researchers started on September 17 with scans for vulnerable servers, nine days after the US Cybersecurity and Infrastructure Security Agency (CISA) warned it detected exploits used in the wild and one day after a joint advisory was published by CISA, the FBI, and the United States Coast Guard Cyber Command (CGCYBER).

Exploitation attempts began on September 22 after five days of harvesting info on potential targets who hadn't yet patched their systems.

"While we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised," the researchers said.

"Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities."

Even though the researchers are working on attributing these attacks to a specific hacking group, they suspect that this is the work of a Chinese-sponsored threat group known as APT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse).

From https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/ we read:

Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures. MSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.

[...] MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.

[...] In addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.

[Editor's Note: DEV-0322 is the Microsoft designation of a specific hacking group operating within the more widely known Chinese threat group identity APT27, hence the confusing attributions to different identities.]

Original Submission