Home News Chinese Cyber Espionage Campaign Found Exploiting Zoho Vulnerability

Chinese Cyber Espionage Campaign Found Exploiting Zoho Vulnerability

Unit 42 uncovered an ongoing cyberespionage campaign that has been exploiting a Zoho vulnerability. The campaign targeted nine organizations in critical sectors including education, defense, health care, energy, and technology.

Zoho Vulnerability , Atlassian Confluence Vulnerability

Critical infrastructure and technology vendors become a frequent target for state-sponsored adversaries. A security research team from Palo Alto Networks’ Unit 42 uncovered an ongoing cyberespionage campaign that has already targeted nine organizations belonging to critical global sectors, including education, defense, health care, energy, and technology. With contributions from the National Security Agency (NSA), the research report revealed that the campaign is focused on stealing critical information from U.S. defense contractors.

Exploiting a Vulnerability in Zoho

The researchers found that cybercriminals penetrated international critical network systems by exploiting a recently addressed vulnerability CVE-2021-40539 in Zoho’s ManageEngine product ADSelfService Plus, an identity, and access management tool. The flaw allowed the attackers to REST API authentication bypass with resultant remote code execution. After exploiting the flaw, the threat actors deployed two malware backdoors – Godzilla webshell and NGLite payload on the targeted systems. The Godzilla webshell can parse inbound HTTP POST requests and decrypt sensitive data.

After obtaining complete access to the domain controllers, the attackers deployed KdcSponge – a novel credential-stealing tool deployed against domain controllers to steal credentials. The researchers said, “KdcSponge injects itself into the Local Security Authority Subsystem Service (LSASS) process and will hook specific functions to gather usernames and passwords from accounts attempting to authenticate to the domain via Kerberos. The malicious code writes stolen credentials to a file but is reliant on other capabilities for exfiltration.”

Researchers also claimed that both Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub.

The Impact

Over 370 U.S. organizations were included in broad scanning to identify vulnerable Zoho servers. The campaign shows connections between malicious servers and U.S. organizations, including Department of Defense agencies, defense contractors, educational institutions, and health care organizations. According to Palo Alto’s Cortex Xpanse platform scans, more than 11,000 internet-exposed systems around the globe are running the affected Zoho software. The scans did not indicate what percent of those systems have already been patched.

The Director of cybersecurity for the U.S. National Security Agency Rob Joyce asked users and organizations to review the Unit 42 findings for indicators of compromise of the ongoing malware campaign.

Early Warning

Reports suggest that the campaign began on September 17, a day after CISA warned about the active exploitation of Zoho vulnerabilities, including CVE-2021-40539. The agency stated the exploitation of ManageEngine ADSelfService Plus poses a severe risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.

The agency recently issued a Binding Operational Directive (BOD) to reduce the risk of actively exploited vulnerabilities. The new Directive, which applies to all software and hardware found on federal information systems, requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

Involvement of Chinese Actors

While the threat actors behind the campaign are still unknown, Unit 42 researchers believe the techniques used in the campaign are similar to those of the Chinese threat group Emissary Panda, also known as TG-3390 and APT27.

“We can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller. While the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling,” the researchers added.

ManageEngine Responds

Responding to an email from CISO MAG, ManageEngine’s spokesperson said, “We have addressed an authentication bypass vulnerability in ManageEngine’s ADSelfService Plus. The vulnerability affects REST API URLS and could result in Remote Code Execution. We released a patch and notified all our customers about the bug. They are requested to update the software to the latest version (build 6114) as soon as possible. A public advisory, detailing the steps to be taken by customers if they are affected, has been issued. Please refer to this link. We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required.”

Expert Opinion

Sean DucaExplaining on how organizations can reduce the significant risk of known exploited vulnerabilities to CISO MAG, Sean Duca, Vice President and Regional Chief Security Officer – Asia Pacific & Japan, Palo Alto Networks, said, “Thanks to the pandemic, businesses worldwide have been forced to accelerate their digital transformation journey. As a result, we have seen a rise in both the frequency and sophistication of cyber threats. Therefore, organizations must evaluate and update their vulnerability management approaches and security architectures regularly to combat an ever-evolving adversary. In addition, there is an increased need to look at how we can secure applications, users, and devices across the cloud. As incidents are inevitable, how organizations react to a breach is of equal importance – prompt remediation can aid in the protection of IT infrastructure while significantly reducing costs that could be financial, reputational, or both. Furthermore, organizations should put security measures in place to combat any known threats and ensure preventive controls are in place to identify, evaluate and mitigate any unknown threats.

Duca added, “The same can apply to the maintenance of the critical infrastructures of a country that are more likely to rely on outdated legacy setups, as evidenced by this espionage campaign. Public and private collaborations can go a long way in enabling the development of strong cybersecurity policies, processes, and risk management frameworks to secure critical infrastructure and respond to threats in real-time.”


Organizations of all sizes need to respond promptly to critical vulnerability disclosures and adopt necessary security precautions to prevent potential exploits. This is crucial for companies in critical sectors that are constantly being targeted by ransomware operators probing for vulnerabilities.

Vulnerabilities need to be disclosed to vendor organizations in a timely manner so that corrective action can be taken in a prompt manner. Vulnerability Disclosure programs offer guidelines on how to submit security vulnerabilities to organizations. They help organizations mitigate the risk by supporting and enabling the disclosure and remediation of vulnerabilities before they are exploited (Source: Bugcrowd).