Microsoft has sent an alert about a sophisticated Chinese hacker group targeting an obscure bug in Zoho software to install a webshell.
Microsoft Threat Intelligence Center (MSTIC) has detected exploits targeting systems running Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution, with the remote code execution bug tracked as CVE-2021-40539. Zoho is best known as a popular software-as-a-service vendor, while ManageEngine is the company's enterprise IT management software division.
It's a targeted malware campaign, so most Windows users shouldn't need to worry about it, but Microsoft has flagged the campaign, which it first observed in September, because it's aimed at the US defence industrial base, higher education, consulting services, and IT sectors.
MSTIC attributes the activity to a group it is tracking as DEV-0322, which also targeted a zero-day flaw in SolarWinds Serv-U FTP software. The US government attributed an earlier software supply chain attack on SolarWinds to Kremlin-backed intelligence hackers.
Palo Alto Networks Unit 42 observed the same Chinese group scanning ManageEngine ADSelfService Plus servers from mid-September to early October.
The bug concerns a REST API authentication bypass that can lead to remote code execution in vulnerable devices.
Microsoft fleshes out some details on the latest activity of the group's use of the Zoho bug, which relied on the Godzilla webshell payload. Webshells are generally considered a problem because they can survive a patch on the underlying OS or software.
It notes that the group was involved in "credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network."
The attack group also deployed a Trojan Microsoft calls Trojan:Win64/Zebracon, which uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.
"Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via an HTTP response. This allows attackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it," notes Palo Alto Networks.