Recently, a cybersecurity firm from Palo Alto released an advisory of a data breach campaign conducted by hackers that already crippled about nine organisations globally. These organisations that suffered an attack are known to be a part of the most essential sectors of the government.
The malicious threat actors were seen exploiting a critical flaw (CVE-2021-40539) in Zoho’s enterprise password management solution identified as ManageEngine ADSelfService Plus to execute their system breaching plans. This vulnerability allows the threat operators to remotely command code on unpatched systems without dealing with authentication check-ups.
The Palo Alto-based firm identified the breach after one US team warned that there are exploitation acts in the ecosystem; but unfortunately, the researchers lack comprehensive insight into the exact number of hacked servers, but they believe that at least nine organisations are compromised worldwide.
According to the researchers’ scans, 11,000 internet servers are exposed and they still run the vulnerable Zoho software. Moreover, it is not yet known if how many systems have been patched already.
Hackers target credentials from organisations.
When the hackers have successfully infiltrated the target’s systems using CVE-2021-40539 vulnerability, they will first deploy a malware dropper that will deliver the Godzilla web shells on infected servers to obtain and retain their access to the target’s network. They will also deploy an open-source backdoor malware called NGLite.
Furthermore, the malicious threat actors utilised a credential-stealing malware known as KdcSponge that will hook into the Windows API functions to gather credentials such as domain names, usernames, and passwords.
According to the researchers, the threat actors steal credentials, exfiltrate sensitive data, and collect confidential files from victim networks.
Hackers are more likely linked to a China-backed threat actor called APT27
Researchers believed these recent breaches are directly connected to a hacking group that China is sponsoring since traces of the same action and execution were similar.
The researchers’ speculations started from the malicious tools and strategies used in this current campaign that matches the APT27 previous attack. The APT27 used the same tactic back in 2010, and coincidentally, they also targeted industry sectors like energy, technology, education, and defence.
Today, the United States of America, the European Union, and the United Kingdom blame China for the most widespread malicious acts worldwide.
