Hackers Hit Healthcare, Other Sectors With Cyber Espionage Attacks

November 10, 2021 - Unidentified hackers breached at least nine organizations in the energy, technology, education, defense, and healthcare sectors in a large-scale cyber espionage attack, Palo Alto Networks discovered, with the help of National Security Agency (NSA) officials. NSA and Cybersecurity and Infrastructure Security Agency (CISA) officials are actively tracking the threat.

Ryan Olson, a senior Palo Alto Networks executive, told CNN that the nine victims are likely the “tip of the spear,” and more victims are expected to emerge. The hacking group’s tactics overlap with those used by a known Chinese hacking group, but the NSA and CISA have not commented on the identity of the hackers.

On September 16, CISA released an alert about advanced persistent threat (AOT) actors who were exploiting vulnerabilities in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

“The alert explained that malicious actors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments; however, in the days that followed, we observed a second unrelated campaign carry out successful attacks against the same vulnerability,” Palo Alto Networks explained in its brief.

As early as September 17, the hacking group leveraged leased infrastructure in the US to scan for vulnerable organizations. On September 22, the threat actors began exploitation attempts that were carried out through October and successfully compromised nine global entities, including one healthcare organization.

“Following initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell. This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite,” Palo Alto Networks continued.

“The threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server. Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge.”

Hackers stole passwords from US defense contractors and other organizations with the intention of gaining long-term access to their networks.

“Both Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub. We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,” Palo Alto Networks stated.

“Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response. This allows attackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it.”

Palo Alto Networks encouraged organizations that use Zoho software to update their systems and monitor their networks for signs of a breach.

Healthcare organizations are at an increased risk for cyberattacks due to the black-market value of protected health information (PHI) and a healthcare organization’s likelihood to comply with a ransom request.