Back in September, the Zoho MachineEngine ADSelfService Plus reported a critical vulnerability that would allow remote attackers to bypass authentication and have free rein across users’ Active Directory (AD) and cloud accounts. CISA issued a strong warning at the time to not only apply the patch immediately, but also ensure the ADService Plus isn’t directly accessible from the internet.
Palo Alto’s Unit 42 researchers found that threat actors have since been scanning the web for unpatched servers and have succeeded in infiltrating over 350+ systems in the technology, defense, healthcare, energy and education sectors.
The Zoho MachineEngine ADSelfService Plus password manager is a strong, highly privileged application that can serve as a handy point-of-entry for both users and attackers into locations deep within an enterprise. Once the CVE was exploited, threat actors moved laterally to deploy malware. They installed harvesting malware to collect usernames and passwords from domain controllers and deployed Godzilla webshell, which is “a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via an HTTP response”. As a result, attackers can achieve plenty without running code that’s likely to be identified as malicious, and avoid detection.
Staying up to date with CVEs, updates and patches is critical!
Take action now and measure your overall Cybersecurity posture to see if you’re doing everything you can to protect your organisation
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
