Chinese cyber group, “Volt Typhoon,” has been identified by cybersecurity firm, Crowdstrike, for maintaining remote access to objects of interest via the “Vanguard Panda” organization. The group is known for using a set of open source tools to perform long-term malicious actions against a limited number of US government, defense, and critical American organizations. They primarily use web shells to establish constancy and rely on short periods of activity, mainly including executable LOTL files to achieve their goals.
Crowdstrike reported that the hackers used vulnerabilities in Manageengine Self-Service Plus to gain initial entry, and then their own web shells for constant access. In an unsuccessful incident, Vanguard Panda targeted the Zoho Manageengine Adselfservice Plus service to launch malicious commands via Apache Tomcat server.
According to the researchers, Vanguard Panda’s actions indicate a good acquaintance with the target environment due to the quick sequence of their commands as well as the presence of specific internal names and IP addresses for ping, remote general resources for mounting and open accounting data for use with WMI.
Further analysis has identified a web shell, “/html/promotion/selfsdp.jspx,” that was deployed six months before the aforementioned operation. The web shell is believed to be masked as a legal solution for identification to avoid detection. It is still unclear how Vanguard Panda managed to infiltrate the manageengine environment, but all signs indicate the operation CVE-2021-40539, a critical vulnerability that bypasses authentication with subsequent remote execution of code.
The group’s meticulous research and exploitation tactics suggest a significant level of sophistication and organization within the Chinese cyber espionage world.