Over the course of three months, a persistent and determined APT attacker has launched several campaigns that have now led to compromises at at least four other organizations, for a total of 13. Several of the affected organizations are among the critical infrastructures of the United States, including defense, transport, healthcare and energy.
On September 16, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Advanced Persistent Threats (APT) actors are actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution called ManageEngine ADSelfService Plus. Building on the findings of this first report, Unit 42 uncovered a second, even more sophisticated, active and hard-to-detect campaign on November 7 that had resulted in the compromise of at least nine organizations.
Over the past month, Unit 42 has observed that the threat actor has expanded its focus beyond ADSelfService Plus to other vulnerable software. Especially between October 25 and November 8, the actor shifted his attention to several organizations using another Zoho product called ManageEngine ServiceDesk Plus.
The security researchers from Unit 42 are now tracking the combined activities as a TiltedTemple campaign. In their November 7 blog, they noted that “the attribution is still ongoing and we have not been able to confirm the actor behind the campaign, but we have found some correlations between the tactics and tools used in the cases we analyzed and Threat Group 3390 (TG-3390, Emissary Panda, APT27)”.
At the moment, it can be noted that the correlation with these tactics and tools is correct, but the assignment has not yet been completed. In accordance with the findings of the Microsoft Threat Intelligence Center (MSTIC), some parts of TiltedTemple, in particular the September attacks that exploited ManageEngine ADSelfService Plus, overlap with activities associated with DEV-0322. According to MSTIC, this is “a group that operates from China, based on the observed infrastructure, victimology, tactics and procedures”.
ServiceDesk Plus is a help desk and asset management software. On November 22, Zoho released a security advisory alerting customers to the active exploitation of the newly registered vulnerability CVE-2021-44077. The vulnerability affects ServiceDesk Plus versions 11305 and below. Although the researchers could not find a publicly available proof-of-concept code for this vulnerability, but it is now clear that the culprit has successfully figured out how to exploit unpatched versions of the software.
In addition, it was observed how the perpetrator had uploaded a new dropper to the victims’ systems after exploiting the vulnerability. Similar to the previous tactic used against the ADSelfService software, this dropper uses a Godzilla webshell that gives the attacker further access to the victims’ systems.
There are over 4,700 Internet–enabled instances of ServiceDesk Plus worldwide, of which 2,900 – or 62 percent – are classified as vulnerable to an attack. Given the success of the perpetrator to date and the continued educational activities against a wide range of industries (including the infrastructure of five US states), the researchers believe that the number of victims will continue to increase.
Unit 42 recommends that all organizations patch vulnerable software in their environments.
Protective and remedial measures
For Palo Alto Networks customers, the following products and services related to this campaign provide the following protections:
- Threat Prevention provides protection against the Godzilla webshells. The threat IDs 81803, 81815, 81816, 81817 and 81819 cover the various deviations in the data traffic in the .net, java, php and asp formats of this webshell. These protective measures have been in force since April 28, 2021. Threat ID 91949 (Zoho ManageEngine ServiceDesk Plus File Upload Vulnerability) provides protection against CVE-2021-44077.
- Cortex XDR protects endpoints and identifies the dropper used in this campaign as malicious. In addition, Cortex XDR has several detections for lateral movements and the theft of credentials used by this actor.
- The WildFire cloud-based threat analysis service identifies the dropper used in this campaign as malicious.
- Cortex Xpanse can accurately identify Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus servers in customer networks and determine whether they are vulnerable to these attacks or not.
Palo Alto Networks shared these findings, including file patterns and indicators of a threat, with the other members of the Cyber Threat Alliance. CTA members use these insights to quickly provide their customers with protective measures and systematically disrupt malicious cyber actors.