MSTIC has attributed the campaign with “high confidence” to a hacking group operating out of China. It has based this on factors such as observed infrastructure, victimology, tactics, and procedures. Earlier this week, cybersecurity firm Palo Alto Networks announced that cybercriminals exploited nine organizations, as well as systems with the vulnerable Zoho software.
Details of the Cyber Campaign
The campaign targets systems that use Zoho’s popular password management software, ADSelfService Plus. Particularly, the campaign targets systems running a version of the software that is vulnerable to CVE-2021-40539, which is a REST API authentication bypass with resultant remote code execution. Microsoft noted that after exploiting a vulnerable system, the hackers engaged in activities such as “credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.” MSTIC first observed the campaign in September this year, which appeared to target the following sectors:
Defense Industrial Base Higher education Consulting services Information technology sectors
In its blog post, MSTIC also provided Microsoft Sentinel and Microsoft 365 Defender Hunting Queries to identify vulnerable devices.
Recent Exploitation of Zoho’s Password Management Software
Microsoft has notified customers that have been targeted or compromised, as it does with any observed activity from nation-state actors. It has also provided customers with the necessary information to ensure their safety. MSTIC also stated that it has not discovered any attacks on Microsoft products in this campaign. Palo Alto Networks also flagged an ongoing campaign against systems running vulnerable versions of Zoho’s password management software. In that instance, the industries targeted belonged to the defense, energy, healthcare, technology, and education sectors. Several U.S. federal agencies that monitor cyber threats viewed Palo Alto Network’s announcement as a positive outcome from a nascent public-private collaboration policy. Microsoft also thanked Palo Alto for highlighting this activity and for their “collaboration as industry partners and ongoing efforts to protect customers.” If you’re interested in learning more about computer viruses such as trojans, worms, key-loggers, and others (and more importantly, how you can protect yourself against these threats), check out our detailed resource here. We have also reviewed some of the best anti-virus software in the market to help you decide which one to choose.
