BACKGROUND:
Palo Alto Networks reported Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. The report details malicious actors using previously patched techniques discussed in a Sept. 16th CISA Alert and tracks attacks beginning one day after the Alert was released and continuing into October. The attacks targeted critical sectors, including defense, healthcare, energy, technology, and education. Several of the tools used were of known Chinese origins.
<p>The ADSelfService attack is another example of hackers using zero-day vulnerabilities to insert malware into our enterprises. This particular APT is a credential stealing tool for the purpose of continually stealing credentials on the enterprise. The fact that the new attack went on top of previously patched components shows how important concepts of zero trust are to the enterprise. We must assume any component of the enterprise is compromised, even the recently patched – and therefore harden our identities and enforce the principle of least privilege on all accounts – especially the service accounts.</p>
<p>Current tools and resources allow bad actors unprecedented abilities to scan and exploit vulnerabilities on a massive scale. This works to accelerate RAT attacks into companies critical to the welfare of our economy. These and similar types of attacks won\’t stop until we have stronger measures in place. We need to invest in the next generation of cyber professionals. We have the tools to find talent even in a tight labor market and we need to double down on this investment to ensure we have the ability to combat these threats going forward.</p>
<p>This clever attack with its origins in China has to be a nightmare for any organization, especially those in critical industries such as defense and healthcare. Using two separate backdoor tools, attackers can parse HTTP POST requests, decrypts the data, then uses it to send an HTTP response until they are ready to attack that particular system.</p>
<p>Malware that lurks undetected on systems and networks until it’s activated is one of the most insidious attacks possible, because the possibility of detection is often fleeting. IT staff and SOC analysts have to use automated approaches to identify these activities as suspicious and high-risk, and automatically begin remediation where possible.</p>