A sophisticated China-linked threat actor is exploiting a remote code execution bug in Zoho ManageEngine ADSelfService Plus, a password management and single sign-on solution, to install a webshell and malware on systems running the software.

The RCE bug, tracked as CVE-2021-40539, exists due to improper access restrictions to the "/RestAPI/LogonCustomization" and "/RestAPI/Connection" REST API endpoints. A remote non-authenticated attacker can send specially HTTP requests to the aforementioned REST API endpoints and execute arbitrary code on the system.

According to Microsoft Threat Intelligence Center (MSTIC), the campaign first observed in September 2021, targeted the US defence industrial base, higher education, consulting services, and IT sectors. MSTIC attributes this activity to a threat actor which it tracks as DEV-0322, which also targeted a zero-day vulnerability SolarWinds Serv-U FTP software in July 2021.

Researchers at Palo Alto Networks Unit 42 also spotted the same Chinese group scanning ManageEngine ADSelfService Plus servers from mid-September to early October. During this period, the group successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.

“Following initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell. This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite. The threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server. Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge,” the researchers said.

In the attacks observed by Microsoft, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network. The threat actor also deployed a trojan tracked by Microsoft as Trojan:Win64/Zebracon, which uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.

Indicators of Compromise related to the campaigns observed by Palo Alto and Microsoft can be found here and here.