December 03, 2021
Prepared by deepwatch Threat Intel Team
Source: Palo Alto Unit 42
- Over three months, a persistent and determined APT threat actor has launched multiple campaigns, compromising at least 13 organizations.
- The actor’s first campaign targeted a zero-day vulnerability in the Zoho ManageEngine ADSelfService Plus software. The actor’s most recent campaign, which focused on a previously unknown vulnerability in Zoho ManageEngine ServiceDesk Plus software, was launched in late October.
- The Threat Intel Team assesses with high confidence that the threat actor will continue to attempt to gain access to vulnerable ManageEngine products to develop working exploits for future campaigns. The best defense against this and future campaigns is a security posture that prioritizes prevention.
A persistent and determined APT threat actor has launched multiple campaigns over three months, compromising at least 13 organizations. Several of the organizations impacted are involved in critical infrastructure sectors in the United States, including defense, transportation, healthcare, and energy.
The actor’s first campaign was alerted to by the US Cybersecurity and Infrastructure Security Agency (CISA) when they issued an alert on Sept. 16, 2021, warning that the threat actor was actively exploiting newly identified vulnerabilities in ManageEngine ADSelfService Plus, a self-service password management, and single sign-on solution. In late October, the actor launched its most recent campaign, which focused on a previously unknown vulnerability in Zoho ManageEngine ServiceDesk Plus software (CVE-2021-44077). The actor then uploaded a new dropper that deployed a Godzilla webshell on victim networks, allowing it to bypass a security filter on the ADSelfService and ServiceDesk Plus products.
In an update to its initial report on December 2, Unit 42 published additional findings saying that between Oct. 25 and Nov. 8, the threat actor shifted its focus to several organizations using ManageEngine ServiceDesk Plus, a Zoho product. Unit 42 is naming the combined activity the TiltedTemple campaign.
In Unit 42s Nov. 7 blog, they stated that “while attribution is still ongoing and we have been unable to validate the actor behind the campaign, we did observe some correlations between the tactics and tooling used in the cases we analyzed and Threat Group 3390 (TG-3390, Emissary Panda, APT27).” At this point, Unit 42 can say that the correlation between those tactics and tooling is correct, but attribution is still being worked out. According to the Microsoft Threat Intelligence Center (MSTIC), some TiltedTemple activity, specifically the September attacks exploiting ManageEngine ADSelfService Plus, overlaps with DEV-0322 activity, which according to MSTIC, is “a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.”
Unit 42’s previous report documented that the actor conducted reconnaissance and exploitation activities against ManageEngine ADSelfService Plus software between September 17 and October 15. Following the initial campaign, Unit 42 noticed a steady flow of connections from the actor’s malicious infrastructure to Zoho infrastructure, which started on Oct. 21 and continued until Nov. 9. archives.manageengine[.]com and download.manageengine[.]com were accessed by the threat actors. When visiting the first site, visitors are presented with a form to fill out to request access to older versions of ManageEngine software. This portal is thought to have been used by the threat actor to request older vulnerable versions of software to create working exploits for known CVEs.
On Oct. 25, four days later, Unit 42 saw the first reconnaissance activity against a financial institution in the United States using a vulnerable version of ManageEngine ServiceDesk Plus. Similar activity was observed across six other organizations in the days that followed, with exploitation against one US defense organization and one tech organization beginning as early as November 3.
A record for CVE-2021-44077 was created on November 20. Two days later, Zoho issued a security advisory warning customers about active exploitation of a remote code execution (RCE) vulnerability in ServiceDesk Plus versions up to 11305. This critical severity-rated flaw can allow an attacker to run arbitrary code and conduct further attacks. It’s also worth noting that three months ago, on Sept. 16, Zoho released an update that prevented exploitation in Zoho versions 11306 and higher.
Unit 42 is not aware of any publicly available proof-of-concept code for exploiting this vulnerability at this time. Furthermore, given that the vulnerability was only discovered after the attacks began, Unit 42 believes that the threat actor developed their own exploit code.
Unit 42 has identified over 1,200 systems running ServiceDesk Plus software in the United States as of publication. Approximately 600 systems, or 50%, are running vulnerable or unpatched software versions. Unit 42 discovered systems in all industry segments when describing this vulnerable population, including 23 universities, 14 state or local governments, and ten healthcare organizations.
deepwatch Threat Intelligence Outlook:
The Threat Intel Team assesses with high confidence that the threat actor will continue to attempt to gain access to vulnerable ManageEngine products to develop working exploits for future campaigns. This is due to Unit 42 observing the threat actor connecting to passwordmanagerpromsp[.]com on November 9. This domain is linked to another ManageEngine product that allows Managed Service Providers (MSPs) to manage passwords for multiple customers in a single location. This could be in an attempt to gain access to a larger targeted group of organizations or an effort to compromise specific MSPs that use this product. The best defense against this and future campaigns, according to the deepwatch Threat Intel Team, is a security posture that prioritizes prevention.
The Threat Intel Team advises businesses to do the following:
- Identify all Zoho software and make sure the latest patches/upgrades are installed,
- Assess the business need and risk associated with any internet-facing Zoho products, and, lastly,
- Review all files created in ServiceDesk Plus directories since early October 2021.