Security News > 2021 > November > Experts Detail Malicious Code Dropped Using ManageEngine ADSelfService Exploit
At least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a recently patched critical vulnerability in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on solution.
The spying campaign, which was observed starting September 22, 2021, involved the threat actor taking advantage of the flaw to gain initial access to targeted organizations, before moving laterally through the network to carry out post-exploitation activities by deploying malicious tools designed to harvest credentials and exfiltrate sensitive information via a backdoor.
"The actor heavily relies on the Godzilla web shell, uploading several variations of the open-source web shell to the compromised server over the course of the operation," researchers from Palo Alto Networks' Unit 42 threat intelligence team said in a report.
Unit 42's investigation into the attack campaign found that successful initial exploitation was followed by the installation of a Chinese-language JSP web shell named "Godzilla," with select victims also infected with a custom Golang-based open-source Trojan called "NGLite."
In subsequent steps, the toolset enabled the attacker to run commands and move laterally to other systems on the network, while simultaneously transmitting files of interest.
"Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately," CISA said, in addition to recommending "Domain-wide password resets and double Kerberos Ticket Granting Ticket password resets if any indication is found that the 'NTDS.dit' file was compromised."