Home SECURITY Chinese Vanguard Panda Hackers Use Unique Way to Maintain Access to Targeted Networks

Chinese Vanguard Panda Hackers Use Unique Way to Maintain Access to Targeted Networks

Chinese Vanguard Panda Hackers Use Unique Way to Maintain Access to Targeted Networks


Chinese Vanguard Panda Hackers Use Unique Way to Maintain Access to Targeted Networks

The attackers took advantage of the compromised Apache Tomcat library and waited about six months before inflicting a serious blow on their victim.

The activity of a Chinese cybercriminal group called “Volt Typhoon” was first recorded back in mid-2020. However, in latest report CrowdStrike researchers were able to connect it with previously unknown methods of hacking the target organization, allowing for a long time to maintain remote access to objects of interest to hackers. Specialists are tracking the intruders, codenamed “Vanguard Panda”.

“These criminals exploited vulnerabilities in ManageEngine Self-service Plus to get initial access, and then own web shells for permanent access and apply LotL attacks to move around the network, ”CrowdStrike said.

Vanguard Panda, also known as Bronze Silhouette, is a cyber-espionage group from China that is involved in network intrusion operations against the US government and defense, as well as a number of other critical US organizations.

An analysis of the group’s working methods showed that it has a strong focus on operational security, using an extensive set of open source tools against a limited number of victims to commit long-term malicious actions.

It has also been described as a threat group that “prefers web shells to establish persistence” and “relies on short periods of activity, mostly involving LotL executable files, to achieve its goals.”

In one of the unfortunate incidents involving an undisclosed CrowdStrike client, attackers targeted the service Zoho ManageEngine ADSelfService Plus running on the server Apache Tomcat to run malicious commands related to process enumeration and network connectivity, among other things.

“Vanguard Panda’s actions indicated a good familiarity with the target environment due to the rapid succession of their commands, as well as having specific internal hostnames and IP addresses to ping, remote shares to mount, and public credentials to use with WMI”the researchers said.

A closer look at Tomcat’s access logs revealed several HTTP POST-Requests to “/html/promotion/selfsdp.jspx”, a web shell that masquerades as a legitimate identity security solution to avoid detection.

The web shell is believed to have been deployed six months prior to the aforementioned operation, indicating a thorough prior reconnaissance by the cybercriminals of the target network.

It’s unclear how Vanguard Panda managed to infiltrate the ManageEngine environment, but all signs point to exploitation CVE-2021-40539 — a critical vulnerability that bypasses authentication with subsequent remote code execution.

It is assumed that the attackers dropped malware onto the target system and forged access logs to cover their tracks. However, the Java files of the source code and compiled classes that were generated during the attack were apparently not taken into account by the hackers, which led to the discovery by security experts of more web shells and backdoors.

The Trojan version of “tomcat-websocket.jar” discovered by the researchers is equipped with three Java classes named A, B and C, functioning as web shells capable of receiving and executing encoded commands Base64 With AES-encryption.

“Using the malicious Apache Tomcat library is a previously unused technique for establishing persistence in the hands of Vanguard Panda hackers,” said CrowdStrike. The researchers specifically noted that cybercriminals are using a malicious implant to “ensure continued access to high-value targets selected after the initial access phase using the then zero-day vulnerabilities.”


Source link



Please enter your comment!
Please enter your name here