Palo Alto Networks recently issued a report detailing a targeted attack campaign that leveraged leased infrastructure in the U.S. to scan hundreds of vulnerable organizations, which compromised at least nine global entities in the technology, defense, healthcare, energy, and education sectors.
The report drew a shout-out from Rob Joyce, Director of Cybersecurity at the National Security Agency (NSA). “Review this blog and check your networks for IOCs related to this ongoing malicious activity,” he said in a Twitter posting. “Actionable threat sharing among public-private partners makes a difference against adversary intrusions. Good work by all involved!
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning on Sept. 16 detailing an advanced persistent threat (APT) that was actively trying to exploit newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus.
According to the report, as early as Sept. 17, the APT actor had leveraged leased infrastructure in the U.S. to carry out the attack.
“Following initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell,” the report said. “This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite.”
The webshell or the NGLite payload was then used to run commands and move laterally to other systems on the network. During which time the threat actor exfiltrated files by downloading them from the server, Palo Alto said.
