Security researchers at Palo Alto Unit 42 and Microsoft have uncovered an unknown threat actor, tracked as DEV-0322, compromising systems using the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. The threat actor has successfully compromised at least nine global organizations in the energy and defense sectors, among others. The Microsoft Threat Intelligence Center (MSTIC) attributes this activity with “high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.” In September, CISA released a joint alert that advanced persistent threat (APT) actors were actively exploiting recently identified vulnerabilities in the password management software, tracked as CVE-2021-40539.

The attack chain begins with the actors gaining initial access to a victim’s device or network via the CVE-2021-40539 exploit. After gaining initial access, the attacker was observed uploading a Godzilla webshell and “a custom variant of an open-source backdoor called NGLite and a credential-harvesting tool we track as KdcSponge…the threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network,” according to Palo Alto. Additionally, MSTIC observed the threat actor deploy a Trojan that “uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.” The adversary’s likely objective “involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization.” CISA has just released an alert on this activity and encourages organizations to review the indicators of compromise and other technical details in the Palo Alto and Microsoft reports. Read more at Microsoft or at Palo Alto.