The US-based cyber security firm’s Unit 42 said last week that the hackers exploited the known vulnerability to successfully infiltrate at least nine global organisations in critical sectors such as defence, energy, healthcare, education and technology.
The attack, which it said began on September 22 and likely continued until early October, targeted at least 370 of Zoho’s ManageEngine servers in the United States.
Palo Alto Networks said the tactics and tooling used in the attacks were similar to that of Chinese hacking group Emissary Panda, though it has not been able to validate the actor behind the campaign.
It said it had detected over 11,000 servers running Godzilla Webshell, the malware that was deployed in the cyberattack.
The issue was first reported by the US Cybersecurity and Infrastructure Security Agency on September 16. Palo Alto Networks noticed the hacking campaign days after this alert.
The vulnerability, in Zoho’s ManageEngine ADSelfService Plus solution, has since been patched.
“We have addressed an authentication bypass vulnerability in ManageEngine’s ADSelfService Plus. The vulnerability affects REST API URLS and could result in Remote Code Execution. We released a patch and notified all our customers about the bug,” a spokesperson from ManageEngine said.
The company advised customers to update to the latest version of the software and detailed the ways to find out if they had been targeted. Zoho did not share details on the number of customers affected.
A spokesperson for the Chennai-based company said it was putting in place further security measures. “We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required,” the spokesperson said.
According to Palo Alto Networks, the attackers’ motive was to maintain persistence in the victims’ networks.
“The objective appears to be to maintain long-term access to facilitate espionage,” online publication Tech Monitor quoted Ryan Olsen, VP of Unit 42, as saying.