Security Researchers Report Hacker Attacks on Sensitive Targets

Security researchers with Palo Alto Networks reported troubling findings concerning hacker efforts to breach target entities working in sensitive sectors such as defense, health care and energy. The investigation conducted by the security firm was backed by the US Cybersecurity and Infrastructure Security Agency.

According to the information that Palo Alto first shared with CNN at least nine separate entities working in those sensitive sectors were targeted across the globe, with "at least" one of those entities being located in the US.

The preparation for the attacks began in mid-September 2021, with threat actors using "leased infrastructure" located inside the US to scan a large number of company networks for vulnerabilities. Out of the hundreds of entities scanned, Palo Alto believes at least nine were successfully breached, and at least one of the successful breaches was against a US organization.

The attackers used a now-patched vulnerability in Zoho Corporation's ManageEngine software. The vulnerability was tracked under the CVE-2021-40539 designator.

Since the attack vector and payload used were the same across all targeted organizations, it would seem this was all performed by the same threat actor. The compromised networks had the Godzilla webshell uploaded to them. In a limited pool of targets, a backdoor was also installed.

Once the tools had been deployed, the threat actors used them for lateral movement and file exfiltration. When domain controller access was obtained by the hackers, they also installed a tool allowing them to steal login credentials.

There is no hard information about the identity of the attackers but according to Palo Alto some of the tactics used in infiltrating the networks aligned with the methods of a Chinese threat actor. The Godzilla web shell used in the attacks was also the Chinese-language version of the tool. Cyber espionage remains a significant threat, like this latest joint discovery by Palo Alto and the US CISA shows. Organizations need to guard both against money-hungry ransomware actors and against espionage attacks similar to this latest breach.

November 9, 2021