Last Updated on 22/11/2021 by Sunaina
Hackers are taking advantage of a recently fixed serious vulnerability in Zoho’s ManageEngine ADSelfService Plus, which might allow them to execute remote code. CISA has previously issued a warning about advanced persistent threat (APT) attackers exploiting the vulnerabilities.
Palo Alto Networks recently discovered an espionage effort that took use of the issue to obtain early access to targeted businesses. At least nine businesses from diverse industries, including defence, energy, technology, healthcare, and education, were targeted. The attackers were employing malicious tools to harvest passwords and obtain sensitive information through a backdoor. The exploited hole, CVE-2021-40539, allows thieves to traverse laterally via the network for post-exploitation actions. Notably, the attackers are thought to have targeted 370 Zoho ManageEngine servers in the United States alone.
NGLite is a blockchain-based anonymous cross-platform remote control software. For anonymity, it employs a New Kind of Network (NKN) architecture during C2 conversations.
The toolbox enables the attacker to run instructions and travel laterally to other systems on the network, all while transferring files of interest.KdcSponge is used by the attackers to obtain credentials from domain controllers.
Although analysts were unable to definitively link this effort to any one threat organisation, parallels in tactics and tools with Emissary Panda were detected.
Microsoft followed the same effort independently and related it to an emerging threat known as DEV-0322. DEV-0322 is based in China and previously exploited a zero-day vulnerability in SolarWinds Serv-U.
New campaigns that bite victims using previously known holes highlight an existing gap in organizations’ security capabilities. To keep safe from such dangers, experts advocate building a thorough patch management approach.