Cyber security firm Palo Alto Networks, with support from the US National Security Agency, found that overseas hackers have breached nine organisations across the energy, technology, defence, health and education industries in a suspected spying campaign.
According to CNN, cyber security firm Palo Alto and the National Security Agency uncovered that nine organisations across energy, technology, defence, health and education industries have been breached by foreign actors.
“As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October,” a release on the Palo Alto Networks website read.
“During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.”
There is alleged evidence that the web shells used by the threat actors were of Chinese origin.
“Both Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub. We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,” the release read.
The revelation came as the Port of Houston, one of the United States’ largest ports, was targeted in August as part of a breach suspected to have been conducted by state-sponsored hacking groups.
Several media outlets have reported that the cyber criminals attempted the hack by leveraging the ManageEngine ADSelfService Plus program, which manages passwords. The hack came amid scrutiny over the use of password management tools.
In mid-September, the US Cybersecurity and Infrastructure Security Agency released an alert for the ManageEngine ADSelfService Plus program.
“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software,” the alert read.
“Successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement and exfiltrating registry hives and Active Directory files.
“Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult – the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.”
[Related: Hackers breach one of the US’ largest ports]