New APT actor targeting Zoho solutions

By Dylan Bushell-Embling
Tuesday, 14 December, 2021

New APT actor targeting Zoho solutions

A “persistent and determined” advanced persistent threat (APT) actor has compromised a total of 13 organisations over the course of just three months, according to new research from Palo Alto Networks.

The APT actor is actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution from Zoho known as ManageEngine ADSelfService Plus, Palo Alto said in a threat advisory.

Palo Alto’s Unit 42 has observed the threat actor expanding its focus to other vulnerable software, including a different Zoho product known as ManageEngine ServiceDesk Plus. The company tracks the combined activity as the TiltedTemple campaign.

Unit 42’s observations show that the threat actor has been exploiting ServiceDesk Plus to upload a dropper to victim systems that deploys a Godzilla webshell which provides the actor with further access to and persistence in compromised systems.

The company’s research suggests that there are currently over 4700 internet-facing instances of ServiceDesk Plus globally, and 2900 of these are vulnerable to exploitation.

The research also suggests that the attackers were able to independently discover the vulnerability and develop the exploit code.

Compromised organisations span the technology, energy, healthcare, education, finance and defence industries, the threat advisory states.

“We analyzed Zoho’s ManageEngine ServiceDesk Plus to determine how the actors would exploit this vulnerability. We confirmed the existence of an RCE vulnerability that leveraged ServiceDesk’s REST API,” the advisory states.

“The exploit requires a malicious actor to issue two requests to the REST API. The first is to upload an executable specifically named msiexec.exe and the second request launches the msiexec.exe payload. Both of these requests are required for successful exploitation, and both are initiated remotely via the REST API without requiring authentication to the ServiceDesk server.”

Palo Alto is urging all organisations to patch this and other potentially vulnerable software within their enterprise environments. Other mitigations include conducting a review of all files that have been created in ServiceDesk Plus directories since early October.

Image credit: ©

Related Articles

Vulnerability management is more than patching

Organisations of every size across every industry have had to evolve their security practices to...

From Zero Trust to total confidence

In today's business landscape, perimeter-based security is no longer sufficient.

Unity needed to address cyberthreats on ANZ businesses

Businesses across Australia and New Zealand continue to be targeted by cybercriminals as...

  • All content Copyright © 2022 Westwick-Farrow Pty Ltd