Cyberattacks go on, this time threat actors focusing on a Zoho vulnerability, a critical flaw that has been recently patched. The bug under discussion was dubbed CVE-2021-40539 and could be found in ManageEngine ADSelfService Plus, Zoho’s self-service password management solution. This might lead to remote code execution attacks.
The Zoho Vulnerability: Background
CISA released on the 16th of September a joint advisory informing about the exploitation of the ManageEngine ADSelfService Plus bug by APT cybercriminals, a vulnerability that was patched by Zoho in the same month.
A new campaign exploiting this known patched vulnerability was detailed by the researchers at Palo Alto Network’s Unit 42 over the weekend in a thorough report. According to this, here are its characteristics:
The goal of threat actors was to achieve initial access to certain organizations. Among the targeted organizations, the researchers discovered nine entities associated with different sectors like healthcare, education, energy, technology, and defense. How did the attack work? Hackers used a backdoor for sensitive data theft and some malicious tools with the goal of collecting credentials. Abusing the above-mentioned flaw lets room for lateral movement that can expand the network damages post-exploitation. Attack Methods When Abusing the Zoho Vulnerability