Chinese hackers may have targeted Zoho, says US cyber security firm

By Kevin Colleran On Nov 15, 2021

Enterprise software maker Zoho was targeted by hackers, possibly of Chinese origin, who exploited a vulnerability in its self-serve password management tool ManageEngine from late September to early October, according to a blog post by Palo Alto Networks.

The US-based cyber security firm’s Unit 42 said last week that the hackers exploited the known vulnerability to successfully infiltrate at least nine global organisations in critical sectors such as defence, energy, healthcare, education and technology.

The attack, which it said began on September 22 and likely continued until early October, targeted at least 370 of Zoho’s ManageEngine servers in the United States.

Palo Alto Networks said the tactics and tooling used in the attacks were similar to that of Chinese hacking group Emissary Panda, though it has not been able to validate the actor behind the campaign.

It said it had detected over 11,000 servers running Godzilla Webshell, the malware that was deployed in the cyberattack.

The issue was first reported by the US Cybersecurity and Infrastructure Security Agency on September 16. Palo Alto Networks noticed the hacking campaign days after this alert.

STARTUP ROCKSTARS IN 2021

Sign-in to see our list of the most promising startups of 2021

The vulnerability, in Zoho’s ManageEngine ADSelfService Plus solution, has since been patched.

“We have addressed an authentication bypass vulnerability in ManageEngine’s ADSelfService Plus. The vulnerability affects REST API URLS and could result in Remote Code Execution. We released a patch and notified all our customers about the bug,” a spokesperson from ManageEngine said.

The company advised customers to update to the latest version of the software and detailed the ways to find out if they had been targeted. Zoho did not share details on the number of customers affected.

A spokesperson for the Chennai-based company said it was putting in place further security measures. “We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required,” the spokesperson said.

According to Palo Alto Networks, the attackers’ motive was to maintain persistence in the victims’ networks.

“The objective appears to be to maintain long-term access to facilitate espionage,” online publication Tech Monitor quoted Ryan Olsen, VP of Unit 42, as saying.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TheDailyCheck is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] The content will be deleted within 24 hours.