2021-11-07
Threat Actors are Exploiting Known Flaw in Zoho Password Management Service
According to a report from Palo Alto Networks’ Unit 42, threat actors have exploited a known vulnerability in Zoho ManageEngine AdSelfService Plus to compromise networks at nine organizations in various sectors, including technology, defense, energy, and healthcare. The threat actors likely have ties to China. In mid-September, a US Cybersecurity and Infrastructure Security Agency (CISA) alert warned that the critical vulnerability was being actively exploited. Zoho has released updates to address the flaw.
Editor's Note
This flaw has been exploited since shortly after it was made public (and after a patch was released). Any vulnerable exposed system has likely been compromised. Palo Alto’s blog lists some IOCs to watch out for, but there are likely other groups using this relatively easy to exploit vulnerability.

Johannes Ullrich
Reusable passwords are not only inherent unsecure, but they also require robust password reset processes since attackers have always targeted them. Self-service password reset software needs to be high security and ManageEngine did not live up to that. If you are using competing products for automated password reset, make sure you have applied all patches and chose a quality vendor.

John Pescatore
Read more in
Palo Alto Networks: Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
US-CERT CISA: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
The Hill: Hackers breach nine global organizations in ongoing espionage campaign
Bleeping Computer: State hackers breach defense, energy, healthcare orgs worldwide
Cyberscoop: Hackers with Chinese links breach defense, energy targets, including one in US
Gov Infosecurity: NSA Reports: Espionage Group Breaches Critical Systems
The Register: You'll never guess who's been exploiting the ManageEngine service to steal passwords