2 min

Tags in this article


Microsoft has issued a warning stating that Chinese hackers are attacking Zoho password management and single sign-on software to attack Windows machines.

Microsoft has delivered a notice regarding the misuse of systems executing Zoho ManageEngine ADSelfService Plus. According to Microsoft Threat Intelligence Center (MSTIC), the activities are being carried out by an advanced Chinese hacker group. Reports from Microsoft suggest that the Chinese cybercriminals are planting an unidentifiable bug in the Zoho software to install a web shell.

What is Zoho ManageEngine AdSelfService Plus?

Zoho ManageEngine AdSelfSerive plus is a software program that provides self-service password management and a single sign-on solution. The Chinese hackers are planting a bug that integrates within the software using a remote code execution process. It is tracked as CVE-2021-40539. This cyber activity is anticipated as a targeted malware operation that Microsoft has flagged since September.

How the attack takes place?

The attacks occur via a remote code execution triggered when the bug bypasses the REST API authentication on sensitive devices. According to Microsoft, some of the most recent cases of the group’s access included Godzilla webshell payload, which is deemed a problem because they can endure a patch on the primary OS or software.

Which sectors is the attack targeting?

The attack trends have been observed in several sectors. From the US defense industrial base, higher education institutions, consulting services, and IT industries, malicious activity using the software have been detected in various industries. Microsoft believes that a group known as DEV-0322 is responsible for the attacks. This is the same group that previously created a zero-day fault in SolarWinds Serv-U FTP software.

However, Microsoft is not the only firm that assigns responsibility to this group. In fact, Palo Alto Networks also assigned blame to this group of hackers for scanning ManageEngine ADSelfService Plus servers earlier this mid-September. This hacker group has been involved in numerous malicious activities, including the likes of credential dumping, custom binary installations, and

According to Microsoft, the Chinese attackers are exploiting Zoho’s vulnerabilities to attack critical infrastructure, including the likes of defense, education, IT organizations, and more.