Breach, Content

Suspected Chinese Hackers Hit Critical Infrastructure, Government Agencies In Espionage Operation


Cyber attackers exploiting a password management tool have hit nine organizations in the defense, education, energy, health care and technology sectors, according to a new report from Palo Alto Networks’ security unit. The attacks are related to ManageEngine's ADSelfService Plus platform, the report alleges.

Cyber espionage, including gathering and exfiltrating sensitive data, appears to be the hacker’s goal, officials said. Chinese operatives are the early suspects, Palo Alto Networks' Unit 42 security team said in a blog post, while acknowledging that the identity of the threat actor orchestrating the malware campaign remains unconfirmed. Still, the cyber crew’s “tactics and tooling” had some semblance to the Chinese threat group 3990 that Unit 42 and other security researchers had previously analyzed.

Here’s what is known about the attacks so far:

  • On September 16, 2021, the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warned of a new threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in Zoho’s ManageEngine ADSelfService Plus, a password management and single sign-on solution. “The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software,” the alert said.
  • On September 17, in a separate incident, unidentified threat actors began scanning for organizations running ADSelfService Plus, for which Zoho, a popular software-as-a-service vendor, on September 6th had issued a patch to fix a software vulnerability.
  • The hackers that Unit 42 tracked scanned 370 computer servers in the U.S. alone, apparently looking for an unpatched system. The vulnerability is tracked in CVE-2021-40539.
  • On September 22nd, the actors began attempts to infiltrate targets in a campaign that lasted for at least another month. At this point, it’s not clear exactly how many organizations have been compromised, Unit 42 said. Ryan Olson, a senior Palo Alto Networks executive, told media outlet CNN that the nine victims are the “tip of the spear.”.
  • In all cases, a payload was uploaded to the victim network that installed a Godzilla webshell, enabling the hackers to keep code likely flagged as malicious off of the target system.
  • Unit 42 also found a few small organizations that received a modified version of a new open source backdoor called NGLite. Both Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub, researchers said. In addition, the hackers used a credential-harvesting tool dubbed KdcSponge.

In the meantime, the FBI, CISA, and CGCYBER “strongly urged” users and administrators to update to ADSelfService Plus build 6114 and ensure that the tool is not directly accessible from the Internet.

The agencies are simultaneously investigating the incidents and offering services to help organizations hit by the hackers:

  • The FBI is leveraging specially trained cyber squads in each of its 56 field offices and its CyWatch operations center.
  • CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats.
  • CGCYBER has deployable elements that provide cyber capability to marine transportation system critical infrastructure in proactive defense or response to incidents.

Organizations that observe the following indicators of compromise are urged to contact CISA or the FBI:

  • Identified indicators of compromise as described in the Unit 42 blog.
  • Presence of webshell code on compromised ManageEngine ADSelfService Plus servers.
  • Unauthorized access to or use of accounts.
  • Evidence of lateral movement by malicious actors with access to compromised systems.
  • Other indicators of unauthorized access or compromise.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.