Share this article on:
Volt Typhoon, the Chinese-backed hacking group that targeted US facilities in the Pacific in May 2023, has been observed in the wild using what one security team has dubbed “novel tradecraft”.
Researchers at CrowdStrike have been tracking the group’s operations and have marked historical activity that matches the threat actor’s tactics, techniques, and procedures that go back to at least 2020.
But what has caught their attention is one particular technique, which appears to rely upon a particular exploit in ManageEngine’s ADSelfService Plus identity security platform, running on an Apache Tomcat server.
After the targeted system had been taken off the network and its owners informed of the incident, researchers got to work. What they found in the access logs for the server were multiple HTTP POST requests with timestamps that matched the threat actor’s activity. From there, they found a web shell operating as a legitimate ADSelfService Plus file — complete with links to ManageEngine’s help desk.
What caught CrowdStrike’s attention was that despite clearly malicious activity — Volt Typhoon was seen to be reconnoitring a targeted network — the usual evidence of taking advantage of the ADSelfService Plus was not present.
“This is where an investigation might typically end,” CrowdStrike’s experts said in a blog post, “but the expected access log artifacts that would indicate CVE-2021-40539 were not present, even though the TTPs of the malicious activity were a match for this CVE”.
Combined with the fact that Volt Typhoon had clearly been very familiar with the target and had already compromised the target’s admin credentials, the researchers looked deeper.
What they discovered was that the threat actor had been actively erasing its tracks, deleting a number of logs and files that might point to its illicit activity. However, they neglected the fact that the Jasper 2 JSP Engine, which generates source code from JSP files, stores its class files in a separate directory.
And this is where CrowdStrike found the evidence it was looking for.
“Vanguard Panda went through extensive lengths to clear out multiple log files and remove excess files from disk — but they didn’t clear out the generated Java source or compiled Class files,” CrowdStrike said. “As a result, Falcon Complete discovered numerous web shells and backdoors all connected to this same attack.”
Using backdoors into an Apache Tomcat library is something that the researchers had not seen utilised by Volt Typhoon before, but the tactics used match the threat actor’s previously observed TTPs.
“This backdoor was likely used by Vanguard Panda [CrowdStrike’s own attribution of the group] to enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities,” CrowdStrike said.