On Monday, CNN reported that nine organizations spread across multiple sectors have been breached by what is believed to be foreign hackers. Palo Alto made it known to CNN that organizations within health care, technology, education, defense, and energy had all been the target of recent security breaches. It is also being reported that officials from the NSA and CISA are actively tracking the threat and working to mitigate it.
By exploiting a vulnerability in ManageEngine ADSelfService Plus which corporations utilize for password management and stealing those passwords from targeted organizations, attackers have been able to maintain persistent access on internal networks. This buys the attackers time to further their attack vectors and compromise more endpoints, as well as work to compromise high privilege accounts and increase their chances of accessing critical information. The official from Palo Alto that provided this information to CNN believe this is just the “tip of the spear” of the likely spying campaign that is taking place by foreign adversaries.
While it is currently unknown who is responsible for this attack, Palo Alto is reporting that many of the tactics and toolkits discovered are consistent with a suspected Chinese hacking group. The NSA and CISA, when asked to comment on the likely identity of these hackers, refused to comment. Officials from Palo Alto are stressing that it is extremely important to stay on top of software updates. Attackers are exploiting well known software vulnerabilities that could have been easily patched by the target organization. They are also encouraging organizations that utilize Zoho software to update their systems and search for signs of potential breach.
Vulnerable software is one of the top things attackers looks for when attempting to target an organization. Many times, these vulnerabilities and their corresponding exploits are widely known and easily preventable if you are aware of them. Conducting periodic penetration testing on both the external perimeter and internal network can prevent this vulnerabilities from being present in your environment. Additionally, having vulnerability scans run on a regular basis can make you aware of these critical vulnerabilities and your security team can eliminate them from the environment.