Volt Typhoon, a newly discovered Chinese nation-state actor, has been seen in the wild since at least the middle of 2020. The hacking crew is linked to new tradecraft to keep remote access to targets of interest.
CrowdStrike, which is tracking the adversary under the name Vanguard Panda, produced the findings.
The cybersecurity firm stated, “The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement.”
Volt Hurricane, as known as Bronze Outline, is a digital surveillance bunch from China that has been connected to organize interruption tasks against the U.S government, guard, and other basic foundation associations.
Analyses of the group’s methods have shown that it places a strong emphasis on operational security and uses a large number of open-source tools sparingly against a small number of targets to carry out long-term malicious acts.
“Favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives,” it has also been described as a threat group.
The actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server in one unsuccessful attack against an unidentified customer to initiate the execution of suspicious commands pertaining, among other things, to process enumeration and network connectivity.
According to CrowdStrike, “Vanguard Panda’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands,” as well as the fact that they had specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.
A more in-depth look at the Tomcat access logs revealed a number of HTTP POST requests to the web shell /html/promotion/selfsdp.jspx, which is disguised as a legitimate identity security solution to avoid detection.
The fact that the hands-on-keyboard activity occurred nearly six months prior to the deployment of the web shell indicates that extensive prior reconnaissance of the target network was carried out.
All indications point to the exploitation of CVE-2021-40539, a critical authentication bypass flaw that results in remote code execution. It is not immediately clear how Vanguard Panda broke into the ManageEngine environment.
The threat actor may have altered access logs and deleted artifacts to obscure the forensic trail. However, the process made a glaring error by not taking into account the Java source and compiled class files that were created during the attack. This led to the discovery of additional web shells and backdoors.
This includes a JSP file that is likely retrieved from an external server. It is designed to backdoor “tomcat-websocket.jar” by using an additional JAR file called “tomcat-ant.jar” that is also retrieved remotely using a web shell. After that, cleanup steps are taken to hide the tracks.
The trojanized version of tomcat-websocket.jar includes three new Java classes called A, B, and C. A.class is a web shell that can receive and execute commands encoded with Base64 and AES.
According to CrowdStrike, “the use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by Vanguard Panda,” and the implant is used to “enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities,” CrowdStrike noted with moderate confidence.
