Microsoft has warned that Chinese actors are actively exploiting a known Zoho vulnerability to target defense, education, consulting and IT sector organizations.
CVE-2021-40539 is found in Zoho ManageEngine ADSelfService Plus — a self-service password management and single sign-on solution from the online productivity vendor.
It’s a critical REST API authentication bypass which results in remote code execution, potentially allowing attackers to access and hijack victim organizations’ Active Directory and cloud accounts for advanced cyber-espionage and other ends.
“Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures,” Microsoft explained in a blog post.
“MSTIC previously highlighted DEV-0322 activity related to attacks targeting the SolarWinds Serv-U software with 0-day exploit.”
It’s not thought to be the same state-sponsored campaign as the one which the Cybersecurity and Infrastructure Security Agency (CISA) warned about in a September 16 alert.
In fact, Microsoft first discovered the campaign on September 22, at around the same time as Palo Alto Networks, which claimed it had compromised at least nine organizations including some in the energy sector.
Following initial compromise, the threat actors installed either a Godzilla webshell or a new backdoor dubbed NGLite to run commands and move laterally while exfiltrating files of interest, the vendor claimed.
“Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network,” Microsoft explained.