- Digital twins are optimizing supply chains and more. Here's why enterprises should care
- Getting Out in Front of Post-Quantum Threats with Crypto Agility
- Join Sam's Club for $15 - the lowest price we've seen. Here's how
- Meta's new $299 Quest 3S is the VR headset most people should buy this holiday season
- Get Microsoft Office 2019 for Windows or Mac for $25
Microsoft: Patch Zoho Bug Now to Stop Chinese Hackers
Microsoft has warned that Chinese actors are actively exploiting a known Zoho vulnerability to target defense, education, consulting and IT sector organizations.
CVE-2021-40539 is found in Zoho ManageEngine ADSelfService Plus — a self-service password management and single sign-on solution from the online productivity vendor.
It’s a critical REST API authentication bypass which results in remote code execution, potentially allowing attackers to access and hijack victim organizations’ Active Directory and cloud accounts for advanced cyber-espionage and other ends.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures,” Microsoft explained in a blog post.
“MSTIC previously highlighted DEV-0322 activity related to attacks targeting the SolarWinds Serv-U software with 0-day exploit.”
It’s not thought to be the same state-sponsored campaign as the one which the Cybersecurity and Infrastructure Security Agency (CISA) warned about in a September 16 alert.
In fact, Microsoft first discovered the campaign on September 22, at around the same time as Palo Alto Networks, which claimed it had compromised at least nine organizations including some in the energy sector.
Following initial compromise, the threat actors installed either a Godzilla webshell or a new backdoor dubbed NGLite to run commands and move laterally while exfiltrating files of interest, the vendor claimed.
“Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network,” Microsoft explained.