The newly discovered Chinese nation-state attacker, known as Bolt Typhoon, has been observed operating in the wild since at least the mid-2020s, with hacking teams conducting remote attacks on targets of interest. Linked to never-before-seen tradecraft to maintain access.
This finding comes from CrowdStrike, which tracks adversaries under the name: vanguard panda.
“Attackers consistently leveraged the ManageEngine Self-service Plus exploit to gain initial access, then used a custom webshell to gain persistent access, and used living off-the-shelf for lateral movement.・We used LotL technology,” said the cybersecurity company.
Bolt Typhoon, better known as Bronze Silhouette, is a Chinese cyber-espionage group involved in network intrusion operations against the United States government, defense, and other critical infrastructure organizations.
Analysis of this group’s modus operandi reveals a strong focus on operational security, judicious use of a wide range of open-source tools to carry out long-term malicious acts against a limited number of victims. It became clear that there is
Additionally, it is described as a threat group that “prefers web shells for persistence and relies on short-lived activity, primarily involving non-existent binaries, to achieve its goals.”
In one failed incident targeting an unspecified customer, attackers targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server and executed suspicious commands related to process enumeration, network connectivity, etc. was triggered.
“Vanguard Panda’s actions were familiar with the target environment because it had a quick sequence of commands, a specific internal hostname and IP to ping, a remote share to mount, and plaintext credentials to use for WMI. It showed that we were doing it,” said CrowdStrike.
After digging into Tomcat’s access logs, I found several HTTP POST requests to /html/promotion/selfsdp.jspx. This is a web shell disguised as a legitimate identity security solution to avoid detection.
The web shell is believed to have been deployed almost six months prior to the aforementioned keyboard-driven activity, indicating extensive pre-emptive reconnaissance of the target network.
It is not immediately clear how Vanguard Panda managed to get into the ManageEngine environment, but all indications point to exploitation of CVE-2021-40539, a critical remote code execution authentication bypass flaw. increase.
The attackers are suspected of removing artifacts and tampering with access logs to hide forensic tracks. However, due to an obvious mistake, this process failed to take into account the Java source and compiled class files generated during the attack, leading to the discovery of even more web shells and backdoors. rice field.
It contains a JSP file that is supposed to be obtained from an external server, and uses an ancillary JAR file called “tomcat-ant. -websocket.jar” is designed to backdoor. A shell is created, after which cleanup actions are performed to hide the track.
The trojanized version of tomcat-websocket.jar includes three new Java classes named A, B, and C, with A.class being Base64-encoded and AES-encrypted. It acts as another web shell that can receive and execute any given command.
“The use of the backdoored Apache Tomcat library is a previously undisclosed persistent TTP used by Vanguard Panda,” CrowdStrike said, noting that the implant “has been down-selected after the initial access phase. Possibility of manipulation using a zero-day vulnerability at the time, which he noted with moderate confidence that it is being used to “enable persistent access to the target.” “
