Cybersecurity experts at Palo Alto Networks recently issued warnings about an insidious hacking campaign.

The continuing cybercriminal initiative has already compromised at least nine different organisations around the world operating in critical sectors, including technology, defence, energy, healthcare, and education.

Anatomy of a cyberespionage campaign

To breach the organisation’s networks, the threat operators behind this campaign successfully exploited a known vulnerability tracked as CVE-2021-40539 in the Zoho business password management option entitled ManageEngine ADSelfService Plus. The software vulnerability enables individuals to remotely execute code without authentication on systems yet to be patched.

The cyberattacks detected by the research team at Palo Alto Networks began on September 17 with hackers scanning for vulnerable servers. This scouting mission followed America’s Cybersecurity and Infrastructure Security Agency (CISA) warning that it had detected exploits being employed in the wild and the FBI, CISA and the United States Coast Guard Cyber Command (CGCYBER) publishing a joint advisory.

After several days of collecting data on potential victims with unpatched systems, the exploitation attempts started in earnest.

Palo Alto Networks researchers commented:

“While we lack insight into the totality of organisations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defence, healthcare, energy and education industries were compromised. Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defence entities.”

Following the warnings from government and law enforcement agencies, the team observed another string of seemingly unrelated attacks that were unsuccessful in compromising their chosen targets, suggesting the presence of or financially motivated and state-backed hacking groups likely joining in and taking advantage of the vulnerability in Zoho servers.

According to scans by Palo Alto Networks, there are currently more than 11,000 servers exposed online that are still running unpatched and unsecure Zoho software.

Credential stealing malware

After obtaining a foothold on their targets’ systems using the exploit, the threat operators deployed a dedicated malware dropper that successfully delivered web shells onto the compromised servers to achieve and retain access to the infiltrated networks, along with malware, including the opensource backdoor called NGLite.

The attackers also employed KdcSponge malware, a credential stealer that hooks into LSASS API Windows functions to capture personal credentials like domain names, passwords and usernames that get transmitted back to servers under hacker control.

The researchers commented:

“After gaining access to the initial server, the actors focused their efforts on gathering and exfiltrating sensitive information from local domain controllers, such as the Active Directory database file.”

While the Palo Alto Networks researchers are still working on attributing the recent attacks to a particular hacking group, they have their suspicions. The team believe that the Chinese state-sponsored threat group called APT27 (also known as TG-3390, BRONZE UNION Emissary Panda, LuckyMouse, and Iron Tiger) may be behind the campaign.