Chinese hackers are targeting Zoho ManageEngine software
Microsoft has issued an alert regarding the exploitation of systems running Zoho ManageEngine ADSeflService Plus. Microsoft Threat Intelligence Center (MSTIC) has detected exploits originating from a sophisticated Chinese hacker group. Microsoft stated that the group is targeting an obscure bug in the Zoho software to install a web shell. The software, ManageEngine ADSelfService Plus, is a self-service password management and single sign-on solution. The bug that lies within the software is a remote code execution bug tracked as CVE-2021-40539. The campaign appears to be a targeted malware campaign flagged by Microsoft in September.
The campaign is targeting the US defense industrial base, higher education, consulting services, and IT sectors. Microsoft has attributed the malicious activity to a group tracked as DEV-0322, which has previously targeted a zero-day flaw in SolarWinds Serv-U FTP software. Palo Alto Networks observed the same group scanning ManageEngine ADSelfSurvice Plus servers beginning in mid-September. The group has allegedly engaged in activities such as credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within networks.