Cybersecurity sleuths have shared details of a large-scale ongoing hacking campaign that exploits a critical, but already patched, vulnerability in Zoho's business password manager, to exfiltrate sensitive information from unpatched servers.
The bug, tracked as CVE-2021-40539 is a remote code execution (RCE) vulnerability that exists in Zoho's ManageEngine ADSelfService Plus software that provides both single sign-on and password management capabilities.
The attacks were detected by security researchers at Palo Alto Networks’ Unit42 division, right around the time when US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint security advisory, along with the FBI, and the Coast Guard Cyber Command (CGCYBER) about threat actors exploiting the Zoho vulnerability.
“Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities,” note the Unit42 researchers in a post unraveling the modus operandi of the threat actors.
Patch immediately
According to the researchers, attempts to exploit the Zoho vulnerability began on September 22, following a five-day reconnaissance scan to identify potential targets who hadn't yet patched their systems.
Since the campaign is still ongoing it is difficult to gauge its scope, but the researchers can confirm that it has already compromised at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.
“Unit 42 believes that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” note the researchers.
After compromising a server using the Zoho vulnerability, the threat actors have been observed to upload a payload that deployed a Godzilla webshell, for persistent access to the compromised server.
The web shell is then used to deploy additional tools, such as a custom variant of an open source backdoor called NGLite, and a credential-harvesting tool known as KdcSponge.
The researchers have shared the findings with other members of the Cyber Threat Alliance (CTA) to help them deploy protections for their respective customers in order to disrupt the campaign.
