wordpress blog stats
Connect with us

Hi, what are you looking for?

, ,

Hackers exploited vulnerability in a Zoho product to target organisations in critical sectors: Report

While attribution is still ongoing, some correlations reportedly point to a Chinese hacking group.

In a cyberattack campaign carried out in September, hackers exploited a vulnerability in one of Zoho’s enterprise products to target at least nine global organisations across industries like technology, defense, healthcare, energy, and education, US-based cybersecurity firm Palo Alto Networks said in a report published last week.

Zoho told MediaNama that it has addressed the vulnerability in question and has issued a security advisory to its customers on remediation measures. “We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required,” the company said.

Cyberattacks and data breaches have been rising in recent years but campaigns targeted at critical infrastructure pose grave concern especially in light of incidents like the alleged China state-sponsored attack on India’s electricity grid that caused a blackout.

Breaking down the cyberattack

  • What was the vulnerability? An authentication bypass vulnerability (tracked as CVE-2021-40539) was found in Zoho ManageEngine’s self-service password management and single sign-on solution called ADSelfService Plus. The vulnerability affects REST API URLs and allows remote code execution, Zoho said in its security advisory.
  • When was the initial attack carried out? The vulnerability was first detected in August 2021, when malicious actors tried gaining access to ADSelfService Plus, Zoho said.
  • Attack campaign observed by Palo Alto network: Palo Alto in September observed a second unrelated campaign carry out successful attacks against the same vulnerability. “As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October,” Palo Alto said.
  • How many customers were affected? The actor targeted at least 370 Zoho ManageEngine servers in the United States alone, Palo Alto reported. The firm said that “at least nine entities across the technology, defense, healthcare, energy, and education industries were compromised,” but it wasn’t able to pinpoint the affected organisations. Zoho declined to share details on the number of affected customers.
  • What data might have been compromised? Based on the code files deployed by the attacker, Palo Alto reported that attackers would have been able to create, delete, copy, transfer files from compromised servers as well as run remote code executions. The cybersecurity firm also observed that upon compromising a network the attackers moved quickly to gain access to other systems on the target networks and the attackers were ultimately interested in “stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration.” Zoho declined to share details on what data was compromised.
  • When was the fix released? Zoho fixed the vulnerability in ADSelfService Plus build 6114 released on September 6 and asked all its customers to update to the same. On September 16, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that actors were actively exploiting the vulnerability and asked customers to update their software immediately.
  • Who might have been behind the campaign? Palo Alto said that attribution is still ongoing and it hasn’t been able to validate the actor behind the campaign but observed some correlations between the current campaign and a similar one carried out by a Chinese hacking group.

For a technical deep-dive into how the cyberattack campaign was carried out, read this.

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?


A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'


India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...


There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data


Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ