Register now for better personalized quote!

Microsoft: Chinese hackers are targeting Zoho ManageEngine software

Nov, 09, 2021 Hi-network.com

Microsoft has sent an alert about a sophisticated Chinese hacker group targeting an obscure bug in Zoho software to install a webshell.

Recommends

  • Best VPN services
  • Best security keys
  • Best antivirus software
  • The fastest VPNs

Microsoft Threat Intelligence Center (MSTIC) has detected exploits targeting systems running Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution, with the remote code execution bug tracked as CVE-2021-40539.Zoho is best known as a popular software-as-a-service vendor, while ManageEngine is the company's enterprise IT management software division.

It's a targeted malware campaign, so most Windows users shouldn't need to worry about it, but Microsoft has flagged the campaign, which it first observed in September, because it's aimed at the US defence industrial base, higher education, consulting services, and IT sectors.


See also:Ransomware: It's a 'golden era' for cybercriminals - and it could get worse before it gets better.


MSTIC attributes the activity to a group it is tracking as DEV-0322, which also targeted a zero-day flaw in SolarWinds Serv-U FTP software. The US government attributed an earlier software supply chain attack on SolarWinds to Kremlin-backed intelligence hackers.

Palo Alto Networks Unit 42 observed the same Chinese group scanning ManageEngine ADSelfService Plus servers from mid-September to early October. 

The bug concerns a REST API authentication bypass that can lead to remote code execution in vulnerable devices. 

Microsoft fleshes out some details on the latest activity of the group's use of the Zoho bug, which relied on the Godzilla webshell payload. Webshells are generally considered a problem because they can survive a patch on the underlying OS or software. 

It notes that the group was involved in "credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network."


See also:Ransomware: Industrial services top the hit list - but cybercriminals are diversifying.


The attack group also deployed a Trojan Microsoft calls Trojan:Win64/Zebracon, which uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.

"Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via an HTTP response. This allows attackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it," notes Palo Alto Networks.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.