Microsoft has sent an alert about a sophisticated Chinese hacker group targeting an obscure bug in Zoho software to install a webshell.
Microsoft Threat Intelligence Center (MSTIC) has detected exploits targeting systems running Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution, with the remote code execution bug tracked as CVE-2021-40539. Zoho is best known as a popular software-as-a-service vendor, while ManageEngine is the company’s enterprise IT management software division.
It’s a targeted malware campaign, so most Windows users shouldn’t need to worry about it, but Microsoft has flagged the campaign, which it first observed in September, because it’s aimed at the US defence industrial base, higher education, consulting services, and IT sectors.
MSTIC attributes the activity to a group it is tracking as DEV-0322, which also targeted a zero-day flaw in SolarWinds Serv-U FTP software. The US government attributed an earlier software supply chain attack on SolarWinds to Kremlin-backed intelligence hackers.
Palo Alto Networks Unit 42 observed the same Chinese group scanning ManageEngine ADSelfService Plus servers from mid-September to early October.
The bug concerns a REST