The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.
The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda.
“The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement,” the cybersecurity company said.
Volt Typhoon, as known as Bronze Silhouette, is a cyber espionage group from China that’s been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations.
“This adversary has been known to leverage credentials and living-off-the-land techniques to remain hidden and move quickly through targeted environments,” Tom Etheridge, chief global professional services officer at CrowdStrike, told The Hacker News.
An analysis of the group’s modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools against a limited number of victims to carry out long-term malicious acts.
It has been further described as a threat group that “favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives.”
In one unsuccessful incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands pertaining to process enumeration and network connectivity, among others.
“Vanguard Panda’s actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI,” CrowdStrike said.
A closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell that’s camouflaged as the legitimate identity security solution to sidestep detection.
The web shell is believed to have been deployed nearly six months before the aforementioned hands-on-keyboard activity, indicative of extensive prior recon of the target network.
While it’s not immediately clear how Vanguard Panda managed to breach the ManageEngine environment, all signs point to the exploitation of CVE-2021-40539, a critical authentication bypass flaw with resultant remote code execution.
It’s suspected that the threat actor deleted artifacts and tampered with the access logs to obscure the forensic trail. However, in a glaring misstep, the process failed to account for Java source and compiled class files that were generated during the course of the attack, leading to the discovery of more web shells and backdoors.
This includes a JSP file that’s likely retrieved from an external server and which is designed to backdoor “tomcat-websocket.jar” by making use of an ancillary JAR file called “tomcat-ant.jar” that’s also fetched remotely by means of a web shell, after which cleanup actions are performed to cover up the tracks.
The trojanized version of tomcat-websocket.jar is fitted with three new Java classes – named A, B, and C – with A.class functioning as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.
“The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by Vanguard Panda,” CrowdStrike said, noting with moderated confidence that the implant is used to “enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.”
“In this case, […] Vanguard Panda had an advanced understanding of the victim’s environment indicating that they were persistent and went undetected prior to our technology being deployed while they carried out their reconnaissance efforts,” Etheridge explained. “Additionally it moved evidence, covering their tracks as they moved deeper into the victim’s infrastructure.”