- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
Microsoft: Patch Zoho Bug Now to Stop Chinese Hackers
Microsoft has warned that Chinese actors are actively exploiting a known Zoho vulnerability to target defense, education, consulting and IT sector organizations.
CVE-2021-40539 is found in Zoho ManageEngine ADSelfService Plus — a self-service password management and single sign-on solution from the online productivity vendor.
It’s a critical REST API authentication bypass which results in remote code execution, potentially allowing attackers to access and hijack victim organizations’ Active Directory and cloud accounts for advanced cyber-espionage and other ends.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures,” Microsoft explained in a blog post.
“MSTIC previously highlighted DEV-0322 activity related to attacks targeting the SolarWinds Serv-U software with 0-day exploit.”
It’s not thought to be the same state-sponsored campaign as the one which the Cybersecurity and Infrastructure Security Agency (CISA) warned about in a September 16 alert.
In fact, Microsoft first discovered the campaign on September 22, at around the same time as Palo Alto Networks, which claimed it had compromised at least nine organizations including some in the energy sector.
Following initial compromise, the threat actors installed either a Godzilla webshell or a new backdoor dubbed NGLite to run commands and move laterally while exfiltrating files of interest, the vendor claimed.
“Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network,” Microsoft explained.