Threat Group Takes Aim Again at Cloud Platform Provider Zoho
An unknown state-backed threat actor has allegedly expanded its attack efforts against cloud platform company Zoho and its ManageEngine ServiceDesk Plus software. The software is a help desk and asset management solution. In the past, the same adversary has targeted Zoho’s ADSelfService Plus. According to researchers, the APT has attacked 13 Zoho victims over the past several weeks, increasing its number of attacks from 9. Its most recent campaign was reported by Palo Alto Networks Unit 42 this week and echoes warnings in September by the FBI and the CISA of similar attacks. The targeting included an APT exploiting a zero-day vulnerability in the ADSelfService Plus software, but has now expanded to include ManageEngine ServiceDesk Plus.
Unit 42 released a report stating that most recent activity was tracked between October and November. During that time, the attackers also starting reconnaissance efforts against a US financial organization running a vulnerable version of the Zoho software. Over the following days, similar activity occurred against six other organizations, including one US defense entity and one tech company. Unit 42 is tracking the campaign as TitledTemple. Researchers at Microsoft and Unit 42 both found links between the APT and China, however, it remains unclear exactly which group is conducting the attacks. Microsoft has suspected DEV-0322, a threat actor with ties to the Chinese government.