Security News > 2021 > December > Threat Group Takes Aim Again at Cloud Platform Provider Zoho

State-backed adversaries expanded attacks against cloud platform company Zoho and its ManageEngine ServiceDesk Plus software, a help desk and asset management solution.

Back in November, Unit 42 said it observed correlations between the tactics and tooling used in ADSelfService Plus campaigns and Threat Group 3390, also known as TG-3390 and Emissary Panda or APT27.

Findings by Microsoft Threat Intelligence Center's tied the September Zoho attacks targeting its ManageEngine ADSelfService Plus also suspect threat actor DEV-0322 is behind the campaign.

The advanced persistent threat group operates out of China, according Microsoft threat researchers.

Though attackers used the same webshell secret key - 5670ebd1f8f3f716 - in both TiltedTemple attacks, the Godzilla webshell used in the ServiceDesk Plus attack observed by researchers was not a single Java Server Pages file, which was seen before.

"In light of these recent developments, we would advance our characterization of the threat to that of an APT(s) conducting a persistent campaign, and leveraging a variety of initial access vectors, to compromise a diverse set of targets globally," researchers wrote.

News URL

https://threatpost.com/threat-group-takes-aim-again-at-cloud-platform-provider-zoho/176732/