HC3 TLP White Sector Alert: Chinese Cyberespionage Campaign Targets Multiple Industries - November 12, 2021

Executive Summary

Multiple cybersecurity organizations recently shared information regarding a suspected Chinese cyberespionage campaign targeting organizations in multiple industries, including healthcare, by exploiting a critical vulnerability in a common password management product. This activity began as early as September 17, 2021, and there are patches, mitigations, and workarounds available to detect and mitigate this threat.

Report

On November 7, 2021, researchers at Palo Alto Networks Unit 42 shared details of a targeted attack campaign beginning around September 17, 2021, with scans against vulnerable Zoho ManageEngine ADSelfService Plus servers. After gaining initial access, the attackers attempt to deliver multiple malware families, including Godzilla webshells, NGLite trojan, and the KdcSponge information stealer. ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. The researchers stated that the campaign has already resulted in the compromise of at least nine organizations worldwide from critical sectors including healthcare. Initial attribution analysis conducted by Unit 42 indicated that APT27 was behind this cyber espionage campaign which exploits a critical vulnerability (CVE-2021-40539) in ManageEngine. The researchers believe that the group targeted at least 370 Zoho ManageEngine servers in the United States alone and there are over 11,000 internet-exposed servers running the vulnerable Zoho software.

APT27 is a Chinese threat group that is also known by various private cybersecurity industry partners as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse. APT27 engages in cyber operations where the goal is intellectual property theft, usually focusing on the data that make a particular organization competitive within its field. APT27 threat actors are not known for using original zero-day exploits, but they may leverage those exploits once they have been made public, as in this case, with exploitation attempts beginning about 10 days later.

The next day, on November 8, 2021, the Microsoft Threat Intelligence Center (MSTIC) shared additional information related to this threat activity, attributing the campaign with high confidence to DEV-0322, the temporary designation for a threat group operating out of China, based on observed infrastructure, victimology, tactics, and procedures. MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network. View the entire report below.