Suspected Emissary Panda campaign.
Palo Alto Networks' Unit 42 has released a description of a targeted cyberespionage campaign against ManageEngine ADSelfService Plus. The vulnerability undergoing exploitation is the same one, Palo Alto says, that the Cybersecurity and Infrastructure Security Agency (CISA) warned against back on September 16th, but the campaign itself is distinct from the efforts cited in CISA's alert. In the case Palo Alto describes, the payload installs a Godzilla webshell, and, in some cases, an NGLite backdoor. They also detected deployment of an uncommon credential stealer, KdcSponge. Attribution remains preliminary and circumstantial, but Palo Alto Networks thinks the tactics, techniques, and procedures look a lot like those used by the Chinese espionage group Threat Group 3390 (also known as APT27, Emissary Panda).
Unit 42 stated, "As early as September 17, the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on September 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries."
China says a foreign intelligence service accessed passenger travel records.
China's Ministry of State Security (MSS) says that an unnamed foreign intelligence service had accessed passenger travel records in 2020, the Record reports. The MSS said in a press release, "After an in-depth investigation, it was confirmed that the attacks were carefully planned and secretly carried out by an overseas spy intelligence agency." A public statement by the MSS about a cyberespionage incident is unusual: naming and shaming haven't been Chinese practice.