Global organisations in the defence, energy, healthcare and technology sectors saw their systems compromised after cloud software company Zoho was hacked. The company’s IT management software was infiltrated via its password system, and 11,000 servers were infected with malware. Users are being urged to patch the vulnerability urgently or risk their systems being infected.
Details of the breach were released by security company Palo Alto Networks yesterday. It said at least nine organisations had been affected, with more than 11,000 internet-exposed servers now running Godzilla Webshell, the cyber-espionage malware deployed in the attack. The tactics and tools used match those often utilised by Chinese hacking group Emissary Panda, a specialist in cyber espionage.
Based in India, Zoho offers a range of cloud-based enterprise tools, and has more than 50 million users around the world.
Zoho hack: what happened?
US cyber defence agency CISA released an alert warning that threat actors were exploiting vulnerabilities in a self-service password management and single sign-on solution called ManageEngine ADSelfService Plus, which is part of the Zoho software suite. Days after this alert was first released, Palo Alto Networks first noticed a campaign carrying out attacks using this vulnerability.
According to the new report released by the Palo Alto Networks Unit 42 research arm, the hackers used leased infrastructure in the US to scan more than 300 vulnerable organisations online. They then conducted exploitation attempts and compromised at least nine companies. “The difficult-to-detect attack exploits known vulnerabilities in Zoho’s identity and access management tool,” Ryan Olsen, VP of Unit 42, told Tech Monitor. “The objective appears to be to maintain long-term access to facilitate espionage.”
Researchers uncovered the use of the Chinese-language Godzilla webshell, which is difficult to detect when testing networks and as such is a particularly effective tool for cybercriminals. According to Palo Alto Networks, there are 11,000 internet exposed systems running software affected by this webshell. “The scans did not indicate what percentage of those systems remain unpatched, which makes them vulnerable to the same type of attack,” Olsen adds.
Zoho has been communicating with its customers to try to minimise the damage, said a spokesperson for the company’s ManageEngine team. “ManageEngine has actively been communicating with customers to ensure that they update the solution to the latest build,” they said. “We have also created an exploit detection tool to check if a customer’s installation has been affected by the vulnerability.” This tool can be found here.
Who are Emissary Panda?
The breach has thrust hacking gang Emissary Panda back into the spotlight, with Palo Alto Networks pinpointing the group as the likely perpetrator of the Zoho hack. The group, also known at APT27, is thought to have been operating since 2010. Many experts believe it is supported by the Chinese government, and though focused predominantly on cyber espionage, a report by Israeli security firm Security Joes states that while the group usually tries to exfiltrate sensitive data, it has also been known to deploy ransomware, particularly during the pandemic.
Emissary Panda was given its name by the security company Crowd Strike, which explains in its 2020 Global Threat Report that the group uses a mixture of custom and commodity malware against healthcare and telecommunications targets, with organisations based in the Middle East often targeted.
What happens next for Zoho users?
ManageEngine has devised and released an incident response plan to help customers immediately address the vulnerabilities, but the spokesperson added: “ManageEngine was unaware of the vulnerability before it was initially exploited by cybercriminals.”
Olsen says Unit 42 has also created a summary of the indicators of compromise for anyone affected by the hack. “We have provided comprehensive indicators of compromise that will help organisations determine if they are compromised by this campaign. If they are, they will need to conduct incident response remediation to ensure the actor is out of the environment before they can reset passwords with confidence.” He added that the breach should serve as a “call to arms” for organisations that have not yet patched up their systems.
The company has shared its findings with governments around the world, as well as other security organisations which are part of the Cyber Threat Alliance (CTA). “CTA members use such intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors,” the report says.