Threat Actors are Exploiting Known Flaw in Zoho Password Management Service
According to a report from Palo Alto Networks’ Unit 42, threat actors have exploited a known vulnerability in Zoho ManageEngine AdSelfService Plus to compromise networks at nine organizations in various sectors, including technology, defense, energy, and healthcare. The threat actors likely have ties to China. In mid-September, a US Cybersecurity and Infrastructure Security Agency (CISA) alert warned that the critical vulnerability was being actively exploited. Zoho has released updates to address the flaw.
This flaw has been exploited since shortly after it was made public (and after a patch was released). Any vulnerable exposed system has likely been compromised. Palo Alto’s blog lists some IOCs to watch out for, but there are likely other groups using this relatively easy to exploit vulnerability.
Reusable passwords are not only inherent unsecure, but they also require robust password reset processes since attackers have always targeted them. Self-service password reset software needs to be high security and ManageEngine did not live up to that. If you are using competing products for automated password reset, make sure you have applied all patches and chose a quality vendor.
Read more in
Bleeping Computer: State hackers breach defense, energy, healthcare orgs worldwide
Gov Infosecurity: NSA Reports: Espionage Group Breaches Critical Systems