Palo Alto Networks warned of an ongoing hacking campaign targeting defense, healthcare, energy, technology, and education organizations. Threat actors are exploiting critical vulnerability CVE-2021-40539 in Zoho’s enterprise password management solution known as ManageEngine AdSelfService Plus and are remotely executing code on unpatched systems without authentication. After successfully getting a foothold on their victims’ systems, the threat actors deploy a malware dropper that delivered Godzilla web shells on compromised servers to gain and maintain access to the victims’ networks. An open-source backdoor known as NGLite was also deployed. It is believed the threat actors are working for the group APT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse), which is a Chinese state-sponsored threat group that has a history of using strategic web compromises to target victims.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in