A newly discovered Chinese nation-state actor known as Volt Typhoon has been observed active in the wild since at least mid-2020, with crews of hackers associated with a never-before-seen craft of maintaining remote access to targets of interest.
The find comes from CrowdStrike, which is tracking an enemy by that name Panda Vanguard.
“Adversaries consistently use the ManageEngine Self-service Plus exploit to gain early access, followed by a dedicated web shell for persistent access, and living-off-the-land (LotL) techniques for lateral movement,” the cybersecurity firm said. said.
Volt Typhoon, also known as Bronze Silhouette, is a cyber espionage group from China that is associated with network intrusion operations against the US government, defense, and other critical infrastructure organizations.
Analysis of the group’s modus operandi has revealed an emphasis on operational security, carefully using an extensive set of open-source tools against multiple victims to commit long-term malicious actions.
It is further described as a threat group that “prefers web shells for persistence and relies on short bursts of activity primarily involving live-of-ground binaries to achieve its goals.”
In one failed incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands relating to process enumeration and network connectivity, among other things.
“Panda’s Vanguard actions demonstrate familiarity with the target environment, due to their fast sequence of commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plain text credentials to use for WMI,” said CrowdStrike.
Closer inspection of Tomcat’s access logs uncovers multiple HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell masquerading as a legitimate identity security solution to evade detection.
The web shell is believed to have been used nearly six months prior to the aforementioned hands-on-keyboard activity, indicating extensive prior reconnaissance of the target’s network.
While it’s not immediately clear how Vanguard Panda managed to penetrate the ManageEngine environment, all signs point to the exploit CVE-2021-40539, a critical authentication bypass flaw with resulting remote code execution.
Suspected threat actors deleted artifacts and tampered with access logs obscure forensic traces. However, in a glaring misstep, the process failed to take into account the Java and compiled class files generated during an attack, leading to the discovery of more web shells and backdoors.
It includes a JSP file possibly fetched from an external server and designed to backdoor “tomcat-websocket.jar” by making use of an additional JAR file called “Tomcat-ant.jar” which is also fetched remotely via web shell, after which cleanup action done to cover the tracks.
The trojan version of tomcat-websocket.jar comes with three new Java classes – named A, B, and C – with A.class serving as another web shell capable of receiving and executing Base64 encoded and AES encrypted commands.
“Use of the Apache Tomcat library backdoor is a previously undisclosed persistence TTP used by Vanguard Panda,” said CrowdStrike, noting with moderate confidence that the implant was used to “enable persistent access to selected high-value targets after the initial access phase of the operation using the zero-day vulnerability.” .”