author photo
By SecureWorld News Team
Tue | Nov 9, 2021 | 3:02 AM PST

Data are a hot commodity. Even if your organization shares seemingly insignificant information in daily emails, there is the possibility it could be more valuable than it seems. 

For actors hacking on behalf of a foreign government, credentials belonging to any employee can be a potential goldmine—especially if it's related to an enemy state's weaknesses. 

According to Palo Alto Networks, suspected nation-state hackers with alleged ties to China have breached nine U.S. organizations, ranging from defense to healthcare, in a widespread espionage campaign.  

In recent findings shared exclusively with CNN, Palo Alto Networks uncovered technical details related to a vulnerability with a similar, yet different, modus operandi (MO) to a warning of an Advanced Persistent Threat (APT) reported by U.S. CISA in September. 

Further, the attackers developed unique and diabolical techniques to victimize networks with a focus on credential theft. 

Malicious threat actor develops custom tools to steal credentials

The backbone of this malicious campaign appears to be related to accessing as much sensitive information as possible, even routine facts. 

"In aggregate, access to that information can be really valuable. Even if it's not classified information, even if it's just information about how the business is doing," said Ryan Olson, Vice President of Palo Alto Networks' Unit 42 division. 

The cybersecurity company says the attacker used a malware dropper, which contained a Java Server Page (JSP) webshell, fittingly known as Godzilla webshell V3.00+. 

"The Godzilla webshell was developed by user BeichenDream, who stated they created this webshell because the ones available at the time would frequently be detected by security products during red team engagements. As such, the author advertises it will avoid detection by leveraging AES encryption for its network traffic and that it maintains a very low static detection rate across security vendor products," reads Palo Alto Networks' analysis. 

A modified backdoor Trojan, called NGLite, was also described as being an important factor in breaking into an organization's network. 

"Upon compromising a network, the threat actor moved quickly from their initial foothold to gain access to other systems on the target networks by running commands via their NGLite payload and the Godzilla webshell. After gaining access to the initial server, the actors focused their efforts on gathering and exfiltrating sensitive information from local domain controllers, such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry.

Shortly after, we observed the threat actors installing the KdcSponge credential stealer, which we will discuss in detail next. Ultimately, the actor was interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration."

Analysis revealed both were available free on GitHub and both were written in the Chinese language.  

"Ultimately, the actor was interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration," the analysis reads. 

Back in September, the Cybersecurity and Infrastructure Security Agency (CISA) released Alert AA21-259A, bringing attention to tactics, techniques, and procedures (TTPs) to exploit a vulnerability found in Zoho's password management tool ManageEngine ADSelfService Plus.

While similar to the vulnerabilities reported by CISA, this cyber threat is different. 

"The alert explained that malicious actors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments; however, in the days that followed, we observed a second unrelated campaign carry out successful attacks against the same vulnerability."

Public and private sectors work together in cybersecurity efforts

CNN reporter Sean Lyngaas, who covered this story, wrote about the overarching point of going public with this information. 

"It's [this campaign] the type of cyber espionage that security agencies in both the Biden and Trump administrations have aggressively sought to expose before it does too much damage. The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers' tools in the process."

Several government leaders have tweeted about the collaboration that went into this malicious campaign. 

Rob Joyce, Director of Cybersecurity for the National Security Agency (NSA), tweeted an advisory for organizations to be vigilant and to share information related to this threat. 

Delve further into the technical details to learn how you can mitigate this threat.


Curious to learn more about security topics like multi-factor authentication (MFA), ransomware, and mitigating insider threats? Register to attend SecureWorld Rockies virtual conference.