Volt Typhoon ⚡️ APT Exploits Zoho Vulnerability

Researchers discovered Chinese state-backed APT Volt Typhoon has been spotted using a critical vulnerability in Zoho’s ManageEngine ADSelfService Plus, a single sign-on and password management solution.

Volt Typhoon came in to limelight recently and the reports detailed a number of Volt Typhoon’s TTPs, including its use of internet-exposed Fortinet FortiGuard devices for initial intrusion, and the hiding of network activity via compromised routers, firewalls, and VPN hardware.

The recent campaign outlined by researchers suggests that Volt Typhoon is flexible, the group utilized CVE-2021-40539 in ManageEngine for intrusion, then masked its Web shell as a legitimate process and erased logs as it went along.

Advertisements

Researchers sensed that the suspicious activity seemed to be emanating from its unidentified client’s network. The unrecognized entity appeared to be performing extensive information-gathering, testing network connectivity, listing processes, gathering user information, and much more. It “indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI.

It turned out that the attacker Volt Typhoon had deployed a webshell to the network a whole six months prior.

With initial access, the attackers were able to drop a Web shell that was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software.

The group proceeded to enumerate admin credentials and move laterally in the network. The evidence tampering was extensive, nearly eliminating all traces of malicious activity. However, the attackers forgot to erase the Java source code and compiled Class files from their targeted Apache Tomcat Web server.