New APT actor targeting Zoho solutions


By Dylan Bushell-Embling
Tuesday, 14 December, 2021

New APT actor targeting Zoho solutions

A “persistent and determined” advanced persistent threat (APT) actor has compromised a total of 13 organisations over the course of just three months, according to new research from Palo Alto Networks.

The APT actor is actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution from Zoho known as ManageEngine ADSelfService Plus, Palo Alto said in a threat advisory.

Palo Alto’s Unit 42 has observed the threat actor expanding its focus to other vulnerable software, including a different Zoho product known as ManageEngine ServiceDesk Plus. The company tracks the combined activity as the TiltedTemple campaign.

Unit 42’s observations show that the threat actor has been exploiting ServiceDesk Plus to upload a dropper to victim systems that deploys a Godzilla webshell which provides the actor with further access to and persistence in compromised systems.

The company’s research suggests that there are currently over 4700 internet-facing instances of ServiceDesk Plus globally, and 2900 of these are vulnerable to exploitation.

The research also suggests that the attackers were able to independently discover the vulnerability and develop the exploit code.

Compromised organisations span the technology, energy, healthcare, education, finance and defence industries, the threat advisory states.

“We analyzed Zoho’s ManageEngine ServiceDesk Plus to determine how the actors would exploit this vulnerability. We confirmed the existence of an RCE vulnerability that leveraged ServiceDesk’s REST API,” the advisory states.

“The exploit requires a malicious actor to issue two requests to the REST API. The first is to upload an executable specifically named msiexec.exe and the second request launches the msiexec.exe payload. Both of these requests are required for successful exploitation, and both are initiated remotely via the REST API without requiring authentication to the ServiceDesk server.”

Palo Alto is urging all organisations to patch this and other potentially vulnerable software within their enterprise environments. Other mitigations include conducting a review of all files that have been created in ServiceDesk Plus directories since early October.

Image credit: ©stock.adobe.com/au/beebright

Related Articles

The problem with passwords is not what you think

When it comes to secure authentication, there seems to be a lesson we're not learning.

Secure-by-design software development for digital innovation

The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...

Bolstering AI-powered cybersecurity in the face of increasing threats

The escalation of complex cyber risks is becoming a pressing issue for those in business...

Content from other channels on our network

Central Highlands Water chooses Infor for ERP

The benefits and risks of AI usage in the public sector

Cobalt Iron earns patent on analytics-based dynamic authorisation control

Shoalhaven City Council uses AI to deliver safer roads to the community

Smart technologies: helping councils improve community services and sustainability

Govt funds telco resilience tech, responds to LEOSat report

Extreme enclosure heli-lifted into an extreme environment

Cyber secured at critical network device level has never been more important

Cradlepoint 'Vehicle as a Node' is the Next Frontier for Emergency Services

Govt responds to post-incident review of Optus outage

When does a conductor not conduct?

Purdue-created tech makes 3D microscopes easier to use

Cracking the code on spin currents

Recyclable circuit board turns to jelly for disassembly

The potential of flexible thin-film electronics for chip design

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd