Novel techniques leveraged in Chinese hacking attacks against critical infrastructure

New sophisticated tactics have been leveraged by Chinese state-sponsored cyberespionage operation Volt Typhoon, also known as Bronze Silhouette and Vanguard Panda, in its attacks against critical infrastructure organizations, The Hacker News reports. Volt Typhoon has been securing initial access through Zoho ManageEngine ADSelfService Plus exploits prior to custom web shell deployment and living-off-the-land binary usage for achieving persistent access and lateral movement, respectively, a report from CrowdStrike revealed. Investigation into a thwarted Volt Typhoon attack against an unspecified CrowdStrike customer showed that attackers may have exploited a critical authentication bypass flaw in ManageEngine, tracked as CVE-2021-40539, to facilitate the deployment of a web shell on the targeted Apache Tomcat server six months after initial access. Despite efforts to obscure malicious activity, attackers have failed to remove Java source code and compiled class files, resulting in the identification of a JSP file that uses an ancillary JAR file to enable a backdoored Apache Tomcat library, according to researchers.