Chinese hackers target ManageEngine password manager
Around nine organizations in the technology, defense, health care, energy, and education industries hit in new campaign
Security researchers have warned of a new Chinese hacking campaign using a known flaw in the Zoho ManageEngine ADSelfService Plus password manager to steal data.
Hackers gained initial access to targeted organizations by exploiting a recently patched vulnerability in Zoho’s ManageEngine product, ADSelfService Plus, tracked in CVE-2021-40539, according to researchers at Palo Alto Network’s Unit 42.
Researchers added this campaign is separate from one described in a US Cybersecurity and Infrastructure Security Agency (CISA) advisory published in September.
The flaw, CVE-2021-40539, allows for REST API authentication bypass with resultant remote code execution in vulnerable devices. The Zoho patched the flaw in September.
In this campaign, hackers used leased infrastructure in the US to scan hundreds of vulnerable organizations across the internet. Researchers said exploitation attempts began on September 22 and continued into early October. During that window, the actor successfully compromised at least nine global entities in the technology, defense, health care, energy, and education industries.
After the initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell.
“This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite,” said researchers.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
Hackers then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network while they exfiltrated files of interest simply by downloading them from the web server.
“Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge,” said researchers.
Researchers said Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub.
“We believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,” researchers added.
Researchers said the hackers' main goal was to gain persistent access to the network and gather and exfiltrate sensitive documents from the compromised organization.
“The threat actor gathered sensitive files to a staging directory and created password-protected multi-volume RAR archives in the Recycler folder. The actor exfiltrated the files by directly downloading the individual RAR archives from externally facing web servers,” researchers added.
-
What is a value-added distributor (VAD)?Value-added distributors (VADs) are the essential channel partners that empower resellers with the crucial services, support, and expertise needed to bring complex technology solutions to market
-
Huawei releases 115 industrial intelligence showcases with global customers at MWC 2026Sponsored The company also launched 22 industrial intelligence solutions with partners
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
