Security News > 2021 > November > You'll never guess who's been exploiting the ManageEngine service to steal passwords
The vulnerability exploited by the attackers was originally reported by the Cybersecurity and Infrastructure Security Agency, which issued an alert on 16 September.
An unrelated group of cyber actors had exploited the vulnerability in the same password management service, Zoho Group's ManageEngine ADSelfServicePlus, as early as August 2021.
"Advanced persistent threat cyber actors have targeted academic institutions, defence contractors, and critical infrastructure entities in multiple industry sectors - including transportation, IT, manufacturing, communications, logistics, and finance," warned CISA. The attackers uploaded.
The attackers then moved laterally using Windows Management Instrumentation, gained access to a domain controller, and exfiltrated registry hive and Active Directory files.
Within days Unit 42 identified an unrelated campaign that attacked the same vulnerability.
Unit 42 described Godzilla as a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality, and returns the result via an HTTP response, which allows attackers to keep code that could potentially be flagged as malicious off the target system until execution.