Chinese espionage group exploits password manager flaw to breach cos globally, Zoho confirms fix

A fresh round of breaches targeting companies in critical sectors around the world have been reported, which exploited an enterprise password manager vulnerability to steal their data.  

Discovered by cyber security researchers at Palo Alto Networks, the breaches were ensued through a vulnerability in Zoho ManageEngine – an enterprise password management solution.  

While a conclusive perpetrator has not been determined, security researchers working on this incident have suggested that Chinese state-backed group APT27 are most likely behind the attacks. 

The critical vulnerability, which has been logged under CVE-2021-40539, allowed the attackers to remotely execute code on unpatched systems running ManageEngine – thereby bypassing authentication. 

A report on the matter, published by Palo Alto Networks researchers Robert Falcone, Jeff White and Peter Renals says, “As early as September 17, the attackers leveraged leased (cyber) infrastructure in the United States, to scan hundreds of vulnerable organisations across the internet.  

Subsequently, exploitation attempts began on September 22, and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.” 

A Zoho ManageEngine spokesperson confirmed the breach to Mint, but said that a patch for the vulnerability has been issued and all clients are being encouraged to apply the fix at the earliest. “We have addressed an authentication bypass vulnerability in ManageEngine's ADSelfService Plus.  

The vulnerability affects REST API URLS and could result in Remote Code Execution. We released a patch and notified all our customers about the bug. They are requested to update the software to the latest version (build 6114) as soon as possible. A public advisory, detailing the steps to be taken by customers if they are affected, has been issued,” the spokesperson said. 

Falcone, White and Renals state that as per their analysis, a total of 11,000 enterprise servers are presently running the Zoho ManageEngine server, and are exposed to the internet. However, there is no clarity in terms of how many of them have been patched using the fix that the Zoho spokesperson mentions above.  

The researchers also claim that as per their data, the attackers have targeted at least 370 Zoho ManageEngine servers, and that their targeting pattern did not have any specific industry in mind – suggesting an indiscriminate sweep. 

The attack could have potentially leaked sensitive corporate data, including confidential business and employee information to the attackers. It is not clear as to how the breached data has been exploited, so far.