Attackers exploit ManageEngine flaw to steal sensitive data
“KdcSponge will capture the domain name, username, and password to a file on the system which the threat actor would then manually exfiltrate through existing server access.”
In a smaller subset of attacks, researchers also observed a modified version of a backdoor called NGLite, an open source backdoor written in the Go language that is described by its author as a “remote control program.” anonymous multiplatform based on blockchain technology. The backdoor works by leveraging what researchers say is a ‘very rare’ tactic for its command and control (C2) channel – using the New Kind of Network (KNK) infrastructure, a network service legitimate system that relies on blockchain technology to support a decentralized network.
The attackers used Godzilla or NGLite to execute commands and move sideways across the network, while exfiltrating data. As part of this data exfiltration effort, researchers observed the deployment of KdcSponge to the domain controllers of the victims. The tool works by injecting itself into the Local Security Authority Subsystem Service (LSASS), which is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. From there, it hooks specific functions (KdcVerifyEncryptedTimeStamp, KerbHashPasswordEx3, and KerbFreeKey) to collect usernames and passwords from accounts attempting to authenticate to the domain via Kerberos.
“The malicious code writes the stolen credentials to a file, but relies on other exfiltration capabilities,” the researchers said. “KdcSponge will capture the domain name, username, and password to a file on the system which the threat actor would then manually exfiltrate through existing server access.”
The researchers said attribution for the campaign is still ongoing and they were unable to validate the attacker. However, they observed correlations between the tactics and tools used in this campaign and those used by APT27 (also known as TG-3390 or Emissary Panda), a Chinese cyber espionage threat group that has been in existence since 2010.
“Specifically… we can see that TG-3390 similarly used web mining and another popular Chinese webshell called ChinaChopper for their first steps before taking advantage of legitimate stolen credentials for lateral moves and attacks. on a domain controller, ”they said. “Although the webshells and exploits differ, once the actors gained access to the environment, we noticed an overlap in some of their exfiltration tools. “
Organizations are encouraged to update to the latest version of ADSelfService Plus, 6114, which fixes the vulnerability.
“The FBI, CISA and CGCYBER are urging users and administrators to update to ADSelfService Plus build 6114,” CISA said in its September advisory. “In addition, the FBI, CISA and CGCYBER urge organizations to ensure that ADSelfService Plus is not directly accessible from the Internet.”