Chinese APT Group Uses New Tradecraft to Live Off the LandGroup Targeting Transportation, Construction, Government Agencies, CrowdStrike Says
A Chinese state hacker is using novel tradecraft to gain initial access to victim systems, according to CrowdStrike. Targeted organizations include those in the communications, manufacturing, utility, transportation, construction, maritime, government, IT and education sectors.
Microsoft dubbed the tradecraft Volt Typhoon in a coordinated disclosure with the U.S. government and the Five Eyes intelligence-sharing alliance. The latest update from CrowdStrike researchers tracks the group under the name Vanguard Panda.
CrowdStrike researchers observed the group employing the ManageEngine ADSelfServiceplus exploit for initial access, followed by custom web shells for persistent access and "living off the land" techniques for lateral movement.
If these tactics failed, Vanguard Panda actors were seen running on an Apache Tomcat server, as they did in one instance when blocked by a security firm.
"One specific VANGUARD PANDA incident stands out to review in detail," CrowdStrike said. "Falcon Complete responded to a detection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web server running ManageEngine ADSelfService Plus."
Analysis of the Apache Tomcat access logs uncovered multiple instances of malicious HTTP POST requests targeting the web shell "/html/promotion/selfsdp.jspx." This web shell posed as a legitimate file from ManageEngine ADSelfService Plus and attempted to deceive by displaying the title and links associated with genuine enterprise help desk software.
According to CrowdStrike, the Vanguard Panda group possessed extensive knowledge about the targeted environment, suggesting thorough reconnaissance and enumeration before the attack. While the attackers likely gained access using compromised administrator credentials, researchers did not find access log evidence related to CVE-2021-40539.
In September 2021, Zoho released a security patch for CVE-2021-40539 to address an authentication bypass vulnerability in ManageEngine ADSelfService Plus. Zoho warned that this vulnerability had been exploited in real-world attacks. The vulnerability resided in the REST API URLs of the software and could lead to remote code execution.
Although the hackers managed to conceal their tracks, they failed to remove the generated Java source and compiled class files, which exposed various web shells and backdoors used in the attack.
Microsoft says Volt Typhoon has been active since mid-2021. Threat intelligence firm Mandiant called Volt Typhoon's actions "aggressive and potentially dangerous" but cautioned that the intrusions "don't necessarily indicate attacks are looming (see: Chinese State Hacker 'Volt Typhoon' Targets Guam and US).