Security News > 2021 > November > Zoho Password Manager Flaw Torched by Godzilla Webshell
A new campaign is prying apart a known security vulnerability in the Zoho ManageEngine ADSelfService Plus password manager, researchers warned over the weekend.
The threat actors have managed to exploit the Zoho weakness in at least nine global entities across critical sectors so far, deploying the Godzilla webshell and exfiltrating data.
Unit 42 researchers believe that the actor more or less indiscriminately targeted unpatched servers across the spectrum, from education to the Department of Defense, with scans of at least 370 Zoho ManageEngine servers in the U.S. alone.
Unit 42 said that after threat actors exploited CVE-2021-40539 to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla webshell.
The actor uploaded several Godzilla variations to compromised servers and planted some new malware tools as well, including a custom Golang-based open-source backdoor called NGLite and a new credential-stealer that Unit 42 is tracking as KdcSponge.
The researchers described Godzilla as something of a multi-function pocket knife of a webshell, noting that it "Parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response."
News URL
https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-07 | CVE-2021-40539 | Use of Incorrectly-Resolved Name or Reference vulnerability in Zohocorp Manageengine Adselfservice Plus Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. | 9.8 |