Cyberattacks go on, this time threat actors focusing on a Zoho vulnerability, a critical flaw that has been recently patched. The bug under discussion was dubbed CVE-2021-40539 and could be found in ManageEngine ADSelfService Plus, Zoho’s self-service password management solution. This might lead to remote code execution attacks.

The Zoho Vulnerability: Background

CISA released on the 16th of September a joint advisory informing about the exploitation of the ManageEngine ADSelfService Plus bug by APT cybercriminals, a vulnerability that was patched by Zoho in the same month.

A new campaign exploiting this known patched vulnerability was detailed by the researchers at Palo Alto Network’s Unit 42 over the weekend in a thorough report. According to this, here are its characteristics:

  • The goal of threat actors was to achieve initial access to certain organizations.
  • Among the targeted organizations, the researchers discovered nine entities associated with different sectors like healthcare, education, energy, technology, and defense.
  • How did the attack work? Hackers used a backdoor for sensitive data theft and some malicious tools with the goal of collecting credentials.
  • Abusing the above-mentioned flaw lets room for lateral movement that can expand the network damages post-exploitation.

Attack Methods When Abusing the Zoho Vulnerability

The same report emphasizes three elements that were being used to exploit the Zoho vulnerability in ManageEngine ADSelfService Plus and perform malicious actions: the Godzilla Webshell, reportedly being a Chinese-language JSP web shell, the open-source trojan dubbed NGLite, and eventually the KdcSponge tool.

Following initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell. This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite. The threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server. Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge.


The researchers explained that Godzilla stands for a web shell based on inbound HTTP POST requests analysis, having the ability to use a secret key to perform data decryption, then extra functionality is facilitated via the execution of the decrypted content, following the use of an HTTP response for result returning purposes.

NGLite is a program associated with blockchain technology, making use of the infrastructure named New Kind of Network (NKN) for the C2 communications. This reportedly allows users to remain anonymous.

KdcSponge is basically a tool used to perform credentials theft.

KdcSponge injects itself into the Local Security Authority Subsystem Service (LSASS) process and will hook specific functions to gather usernames and passwords from accounts attempting to authenticate to the domain via Kerberos. The malicious code writes stolen credentials to a file but is reliant on other capabilities for exfiltration.


According to Cyware, there is no certain confirmation on who is behind this new campaign. However, the researchers who detailed the issue in their recent report observed some correlations in terms of tools and attack methods with the APT27 group, Emissary Panda, allegedly a Chinese-based group they analyzed in the past. However, the threat actor behind this new campaign remains unconfirmed for the moment.

How to Stay Safe Using Heimdal™?

Vulnerability management should remain a top priority for all businesses out there that always try to have the best means for facilitating their organization’s cybersecurity. Existing software is not perfect, being home for vulnerabilities from time to time. To keep the threat those bugs pose to your network apart, an automated Patch Management Solution will help you take care of your vulnerability management efficiently and use your time wisely.

Our tool lets you deploy any patch no matter where you are now, using command-line scripting to cover patches from Microsoft to third-party and proprietary software. But what is even nicer about our tool is the vendor to end-user waiting time: in less than 4 hours from the release, you have your patch tested and repackaged, and ready to be deployed. Curious? Go and find more about our Patch Management Solution!

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Patch Management Policy: A Practical Guide

Enterprise Patch Management: What It Is and Why You Need It

8 Free and Open Source Patch Management Tools for Your Company

Patch Management Explained. Best Practices and Benefits

Understanding the Automated Patch Management Process

Leave a Reply

Your email address will not be published. Required fields are marked *