Attackers Exploit Zoho Vulnerability & Access Windows LSASS API

Cybersecurity firm Palo Alto Networks has warned of an ongoing campaign that resulted in at least nine critical organizations worldwide including defense, healthcare, energy, tech and education to be compromised. The threat actors behind this campaign exploited a vulnerability in Zoho’s enterprise password management solution known as ManageEngine ADSelfService Plus which allows remote execution code on unpatched systems. The attackers also used KdcSponge, a malware known to steal credentials, which access the Windows LSASS API function to capture credentials (domain names, usernames and passwords). Needless to say, this is far from trivial. In fact it is downright dangerous.

Yariv Shivek, VP of Product, Neosec had this to say:

     “Service exploitation is always best mitigated by WAF and NGAV solutions. However, no security control is infallible, and when those controls are not present, or fail to detect and block the attacks, compensating controls better be in place.”

     “In this case, an attack against a ManageEngine‘s REST API started with the exploitation of a zero-day authentication bypass vulnerability. Having gained full access to the API, the attackers had a much larger attack surface to work with. They found other vulnerable API endpoints that allowed for arbitrary file writes and command injection, and by chaining all 3 together managed to drop in webshells and proceed to completely take over the servers running the vulnerable API implementation, pivoting from them into the victims’ networks.”

     “This pattern is not unique – signature matching is inherently useless against zero-day attacks for which no signature exists.”

     “Thus, when developing your own APIs – test them for security vulnerabilities; when deploying them in production – monitor their usage to detect any anomalous behavior.”

     “And remember: Anomaly detection often prevails where signatures fail.”

If you’re a Zoho user, consider yourself warned.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: