New APT actor targeting Zoho solutions


By Dylan Bushell-Embling
Tuesday, 14 December, 2021


New APT actor targeting Zoho solutions

A “persistent and determined” advanced persistent threat (APT) actor has compromised a total of 13 organisations over the course of just three months, according to new research from Palo Alto Networks.

The APT actor is actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution from Zoho known as ManageEngine ADSelfService Plus, Palo Alto said in a threat advisory.

Palo Alto’s Unit 42 has observed the threat actor expanding its focus to other vulnerable software, including a different Zoho product known as ManageEngine ServiceDesk Plus. The company tracks the combined activity as the TiltedTemple campaign.

Unit 42’s observations show that the threat actor has been exploiting ServiceDesk Plus to upload a dropper to victim systems that deploys a Godzilla webshell which provides the actor with further access to and persistence in compromised systems.

The company’s research suggests that there are currently over 4700 internet-facing instances of ServiceDesk Plus globally, and 2900 of these are vulnerable to exploitation.

The research also suggests that the attackers were able to independently discover the vulnerability and develop the exploit code.

Compromised organisations span the technology, energy, healthcare, education, finance and defence industries, the threat advisory states.

“We analyzed Zoho’s ManageEngine ServiceDesk Plus to determine how the actors would exploit this vulnerability. We confirmed the existence of an RCE vulnerability that leveraged ServiceDesk’s REST API,” the advisory states.

“The exploit requires a malicious actor to issue two requests to the REST API. The first is to upload an executable specifically named msiexec.exe and the second request launches the msiexec.exe payload. Both of these requests are required for successful exploitation, and both are initiated remotely via the REST API without requiring authentication to the ServiceDesk server.”

Palo Alto is urging all organisations to patch this and other potentially vulnerable software within their enterprise environments. Other mitigations include conducting a review of all files that have been created in ServiceDesk Plus directories since early October.

Image credit: ©stock.adobe.com/au/beebright

Related Articles

Over 40bn records exposed in 2021: Tenable

There was a stark increase in both the number of publicly disclosed data breaches in 2021 and the...

​The passwordless future is here

Password-only cybersecurity will become less effective in 2022, with passwordless authentication...

Test your team, not just your disaster recovery plan

Disaster recovery (DR) plans have evolved into a central mechanism for safeguarding enterprises...


  • All content Copyright © 2022 Westwick-Farrow Pty Ltd