Chinas Volt Typhoon APT Turns to Zoho ManageEngine for Fresh Cyberattacks

A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.

Editors Note: This article was updated on 7/3/2023 to clarify that
CVE-2021-40539
was patched in September 2021.
The recently discovered Chinese state-backed advanced persistent threat (APT) Volt Typhoon, aka Vanguard Panda, has been spotted using a two-year old critical vulnerability in Zohos ManageEngine ADSelfService Plus, a single sign-on and password management solution. And its now sporting plenty of previously undisclosed stealth mechanisms.
Volt Typhoon came to the fore last month, thanks to joint reports from
Microsoft
and
various government agencies
. The reports highlighted the groups infection of critical infrastructure in the Pacific region, to be used as a possible future beachhead in the event of conflict with Taiwan.
The reports detailed a number of
Volt Typhoons tactics, techniques, and procedures (TTPs)
, including its use of
internet-exposed Fortinet FortiGuard devices
for initial intrusion, and the hiding of network activity via compromised routers, firewalls, and VPN hardware.
But a recent campaign outlined by CrowdStrike in a
recent blog post
suggests that Volt Typhoon is flexible, with the ability to customize its tactics based on data gathered through extensive reconnaissance. In this case, the group utilized
CVE-2021-40539
in ManageEngine for intrusion, then masked its Web shell as a legitimate process and erased logs as it went along.
These previously unknown tactics enabled pervasive access to the victims environment for an extended period, says Tom Etheridge, chief global professional services officer for CrowdStrike, which didnt reveal details on the victims location or profile. They were familiar with the infrastructure that the customer had, and they were diligent about cleaning up their tracks.
CrowdStrike researchers spidey senses tingled when suspicious activity seemed to be emanating from its unidentified clients network.
The then-unrecognized entity appeared to be performing extensive information-gathering — testing network connectivity, listing processes, gathering user information, and much more. It indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for [Windows Management Instrumentation], the researchers wrote in their blog post.
It turned out, after some investigating, that the attacker — Volt Typhoon — had deployed a Web shell to the network a whole six months prior. How did it go unnoticed for so long?
The story began with
CVE-2021-40539
, a critical (9.8 CVSS score) remote code execution (RCE) vulnerability in ADSelfService Plus, discovered and patched back in Sept. 2021. ManageEngine software,
and ADSelfService Plus in particular,

has been critically exposed
on a number of occasions in recent years (CVE-2021-40539 isnt even its most recent critical 9.8 CVSS RCE vulnerability — that title goes to
CVE-2022-47966
).
With initial access, the attackers were able to drop a Web shell. Here was where the more interesting stealth began, as the researchers observed the Web shell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software.
The group proceeded to siphon administrator credentials and move laterally in the network. It took a cruder, manual approach to covering its tracks this time around, going to extensive lengths to clear out multiple log files and remove excess files from disk, the researchers explained.
The evidence tampering was extensive, nearly eliminating all traces of malicious activity. However, the attackers forgot to erase the Java source code and compiled Class files from their targeted Apache Tomcat Web server.
If it wasnt for that slight slip up that was reported in the blog, they probably would have gone unnoticed, Etheridge says.
Thus far, Volt Typhoon has been observed targeting organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Its most notable, however, for seeking out critical infrastructure in the United States and Guam —
a strategic point of American defense of Taiwan against China
.
According to Etheridge, some of the same principles in this case study could be equally applied to a critical infrastructure breach. Operational technology (OT)-type environments are typically targeted through IT infrastructure first, before the threat actor moves to the infrastructure, he points out. Certainly the tactics that we see them deploying would be concerning from a critical infrastructure perspective.
To meet the threat of Volt Typhoon, Etheridge says, one major point is identity management.
Identity is a huge challenge for a lot of organizations. Weve seen a huge uptick in advertisements for stolen credentials, and stolen credentials are leveraged quite extensively in the incidents that we respond to each and every day, he says. In this case, being able to leverage stolen credentials was key to Volt Typhoons remaining under the radar for so many months.
Etheridge also emphasizes the importance of threat hunting and incident response. Nation-state threat actors are notoriously impossible to stop entirely, but organizations will be better prepared to mitigate the worst possible consequences, he says, if theyre able to understand when something is going on in your environment, and being able to take corrective action quickly.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinas Volt Typhoon APT Turns to Zoho ManageEngine for Fresh Cyberattacks