Chinese APT Group Attacked Healthcare Companies by Exploiting Zoho Password Management Platform Vulnerability

An advanced persistent threat (APT) actor continues to conduct an espionage campaign that resulted in the compromise of the systems of no less than 9 companies. The campaign targeted companies in a variety of critical industries, such as healthcare, defense, energy, technology, and education.

Security researchers at Palo Alto Networks identified the campaign and although there is no confirmed identity of the hacking group yet, the researchers think the Chinese state-sponsored hacking group APT27, also known as Iron Tiger, TG-3390, Emissary Panda, and LuckyMouse
likely conducted the attacks because of the usage of hacking resources and strategies that match past APT27 activity.

The campaign took advantage of a critical vulnerability (CVE-2021-40539) found in the ManageEngine ADSelfService Plus, which is a business password management and single sign-on tool created by Zoho. Remote attackers had successful exploitation of the vulnerability to carry out arbitrary code and seize total control of vulnerable programs.

On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory alert that exploits for the vulnerability were accessible in the public domain and APT actors are using it to install web shells on compromised servers to obtain persistent access.

Palo Alto Networks identified another campaign that concerned substantial scans for vulnerable servers utilizing rented infrastructure in the United States. Vulnerable systems that were not patched had been attacked since September 22, 2021, and the attacks continued until October.

The attackers used a web shell known as Godzilla, with a part of victims had installed a new backdoor named NGlite. The web shell or backdoor was then utilized to execute commands and proceed laterally in the victims’ environments, exfiltrating sensitive information from victims’ systems. As soon as the attackers find a domain controller, they put in a new credential-stealing program called KdcSponge, and gathered credentials and took files like the SYSTEM hive from the registry and the Active Directory database file (ntds.dit).

Palo Alto Networks mentioned its scans reveal there are presently about 11,000 servers utilizing the Zoho software program, but it is uncertain how many had been patched to protect against the CVE-2021-40539 vulnerability. The APT group tried to attack no less than 370 Zoho ManageEngine servers located in the United States only.