Palo Alto Networks warned of an ongoing hacking campaign targeting defense, healthcare, energy, technology, and education organizations. Threat actors are exploiting critical vulnerability CVE-2021-40539 in Zoho’s enterprise password management solution known as ManageEngine AdSelfService Plus and are remotely executing code on unpatched systems without authentication. After successfully getting a foothold on their victims’ systems, the threat actors deploy a malware dropper that delivered Godzilla web shells on compromised servers to gain and maintain access to the victims’ networks. An open-source backdoor known as NGLite was also deployed. It is believed the threat actors are working for the group APT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse), which is a Chinese state-sponsored threat group that has a history of using strategic web compromises to target victims.
ZoHo is offering complementary help to any of their customers who want assistance investigating whether they have a breach or with patching this vulnerability. More information regarding the ManageEngine AdSelfService Plus vulnerability can be found here:
State sponsored cyber-attacks continue to be an issue on a global scale. In July, world leaders blamed China for the extensive Microsoft Exchange hacking campaign. In a July press release, the Biden administration stated “The People’s Republic of China’s (PRC) pattern of irresponsible behavior in cyberspace is inconsistent with its stated objective of being seen as a responsible leader in the world. Today, countries around the world are making it clear that concerns regarding the PRC’s malicious cyber activities is bringing them together to call out those activities, promote network defense and cybersecurity, and act to disrupt threats to our economies and national security.” President Biden said the attacks caused the U.S. Government to strengthen government cyber defenses and vowed to continue to look for ways to defend government networks.