In a cyberattack campaign carried out in September, hackers exploited a vulnerability in one of Zoho’s enterprise products to target at least nine global organisations across industries like technology, defense, healthcare, energy, and education, US-based cybersecurity firm Palo Alto Networks said in a report published last week.
Zoho told MediaNama that it has addressed the vulnerability in question and has issued a security advisory to its customers on remediation measures. “We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required,” the company said.
Cyberattacks and data breaches have been rising in recent years but campaigns targeted at critical infrastructure pose grave concern especially in light of incidents like the alleged China state-sponsored attack on India’s electricity grid that caused a blackout.
Breaking down the cyberattack
- What was the vulnerability? An authentication bypass vulnerability (tracked as CVE-2021-40539) was found in Zoho ManageEngine’s self-service password management and single sign-on solution called ADSelfService Plus. The vulnerability affects REST API URLs and allows remote code execution, Zoho said in its security advisory.
- When was the initial attack carried out? The vulnerability was first detected in August 2021, when malicious actors tried gaining access to ADSelfService Plus, Zoho said.
- Attack campaign observed by Palo Alto network: Palo Alto in September observed a second unrelated campaign carry out successful attacks against the same vulnerability. “As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October,” Palo Alto said.
- How many customers were affected? The actor targeted at least 370 Zoho ManageEngine servers in the United States alone, Palo Alto reported. The firm said that “at least nine entities across the technology, defense, healthcare, energy, and education industries were compromised,” but it wasn’t able to pinpoint the affected organisations. Zoho declined to share details on the number of affected customers.
- What data might have been compromised? Based on the code files deployed by the attacker, Palo Alto reported that attackers would have been able to create, delete, copy, transfer files from compromised servers as well as run remote code executions. The cybersecurity firm also observed that upon compromising a network the attackers moved quickly to gain access to other systems on the target networks and the attackers were ultimately interested in “stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration.” Zoho declined to share details on what data was compromised.
- When was the fix released? Zoho fixed the vulnerability in ADSelfService Plus build 6114 released on September 6 and asked all its customers to update to the same. On September 16, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that actors were actively exploiting the vulnerability and asked customers to update their software immediately.
- Who might have been behind the campaign? Palo Alto said that attribution is still ongoing and it hasn’t been able to validate the actor behind the campaign but observed some correlations between the current campaign and a similar one carried out by a Chinese hacking group.
For a technical deep-dive into how the cyberattack campaign was carried out, read this.
- Exclusive: Indian Bank Wants To Acquire Deception Solution To Thwart Cyber Attacks
- Security Vulnerability At India’s Largest Depository Exposed Sensitive Data Of Investors: Report
- Govt Denies Cyber Attacks Caused Power Blackouts In India
- Acer India Hit By Ransomware Attack, Over 60 GB Of Files And Databases Stolen
- A Closer Look At Biden’s Cybersecurity Policies Since Becoming US President In 2021
Have something to add? Post your comment and gift someone a MediaNama subscription.