Password manager hacked to launch wide-ranging cyberattack against businesses worldwide
Luckily the exploited bug has already been patched
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecuritysleuths have shared details of a large-scale ongoing hacking campaign that exploits a critical, but already patched, vulnerability in Zoho’sbusiness password manager, to exfiltrate sensitive information from unpatched servers.
The bug, tracked as CVE-2021-40539 is a remote code execution (RCE) vulnerability that exists inZoho’s ManageEngine ADSelfService Plus software that provides bothsingle sign-onandpassword managementcapabilities.
The attacks were detected by security researchers at Palo Alto Networks’ Unit42 division, right around the time when US Cybersecurity and Infrastructure Security Agency (CISA)issued a joint security advisory, along with the FBI, and the Coast Guard Cyber Command (CGCYBER) about threat actors exploiting the Zoho vulnerability.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
Click here to start the survey in a new window«
“Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities,”notethe Unit42 researchers in a post unraveling the modus operandi of the threat actors.
Patch immediately
According to the researchers, attempts to exploit the Zoho vulnerability began on September 22, following a five-day reconnaissance scan to identify potential targets who hadn’t yet patched their systems.
Since the campaign is still ongoing it is difficult to gauge its scope, but the researchers can confirm that it has already compromised at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.
“Unit 42 believes that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” note the researchers.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After compromising a server using the Zoho vulnerability, the threat actors have been observed to upload a payload that deployed a Godzilla webshell, for persistent access to the compromised server.
The web shell is then used to deploy additional tools, such as a custom variant of anopen sourcebackdoor called NGLite, and a credential-harvesting tool known as KdcSponge.
The researchers have shared the findings with other members of the Cyber Threat Alliance (CTA) to help them deploy protections for their respective customers in order to disrupt the campaign.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
This new phishing strategy utilizes GitHub comments to distribute malware
Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well
