China-Linked APT Group VANGUARD PANDA Employs New Techniques in Recent Cyber Attacks

June 26, 2023

CrowdStrike researchers have noticed a new approach employed by the China-linked APT group VANGUARD PANDA, or Volt Typhoon, to infiltrate target networks. Since mid-2021, this group has been involved in cyber operations against vital infrastructure. Recently, it has focused its attacks on organizations from a range of sectors, including communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education.

The group is mainly using living-off-the-land techniques and direct keyboard activity to avoid detection. The initial access is gained through exploiting ManageEngine Self-service Plus, followed by the use of custom webshells for persistent access, and living-off-the-land (LOTL) techniques for lateral movement. In one instance, the group targeted a Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server.

CrowdStrike's analysis revealed, “The malicious activity detailed in the detection included listing processes, network connectivity testing, gathering user and group information, mounting shares, enumeration of domain trust over WMI, and listing DNS zones over WMI.” Furthermore, the analysis showed that VANGUARD PANDA demonstrated a deep understanding of the target environment, likely obtained through extensive prior reconnaissance and enumeration.

The group's activities involved executing several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell used by the threat actors. The webshell was designed to appear as a legitimate file of ManageEngine ADSelfService Plus. The group seemed to have an in-depth knowledge of the target environment, possibly gained through thorough prior recon and enumeration.

It is believed that the attackers had previously obtained or compromised administrator credentials. CrowdStrike did not find access log artifacts for CVE-2021-40539, but noted that the Falcon sensor was only recently installed on the targeted host.

In September 2021, Zoho patched an authentication bypass vulnerability, tracked as CVE-2021-40539, in its ManageEngine ADSelfService Plus. The company also warned that this vulnerability was being exploited in attacks. The vulnerability could lead to remote code execution (RCE) through the REST API URLs in ADSelfService Plus.

The lack of artifacts indicating the exploitation of the aforementioned issue in the attack analyzed by CrowdStrike suggests that the attackers tried to cover their tracks. However, the VANGUARD PANDA hackers failed to clear out the generated Java source or compiled Class files, revealing several webshells and backdoors used in the same attack.

The report concluded, “The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by VANGUARD PANDA. This backdoor was likely used by VANGUARD PANDA to enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.”

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.