Chinese hackers may have targeted Zoho, says US cyber security firm
Palo Alto Networks said the tactics and tooling used in the attacks were similar to that of Chinese hacking group Emissary Panda, though it has not been able to validate the actor behind the campaign.
By ET Bureau |
Reuters
Enterprise software maker Zoho was targeted by hackers, possibly of Chinese origin, who exploited a vulnerability in its self-serve password management tool ManageEngine from late September to early October, according to a blog post by Palo Alto Networks.
The US-based cyber security firm’s Unit 42 said last week that the hackers exploited the known vulnerability to successfully infiltrate at least nine global organisations in critical sectors such as defence, energy, healthcare, education and technology.
The attack, which it said began on September 22 and likely continued until early October, targeted at least 370 of Zoho's ManageEngine servers in the United States.
Palo Alto Networks said the tactics and tooling used in the attacks were similar to that of Chinese hacking group Emissary Panda, though it has not been able to validate the actor behind the campaign.
It said it had detected over 11,000 servers running Godzilla Webshell, the malware that was deployed in the cyberattack.
The issue was first reported by the US Cybersecurity and Infrastructure Security Agency on September 16. Palo Alto Networks noticed the hacking campaign days after this alert.
The vulnerability, in Zoho’s ManageEngine ADSelfService Plus solution, has since been patched.
“We have addressed an authentication bypass vulnerability in ManageEngine's ADSelfService Plus. The vulnerability affects REST API URLS and could result in Remote Code Execution. We released a patch and notified all our customers about the bug,” a spokesperson from ManageEngine said.
The company advised customers to update to the latest version of the software and detailed the ways to find out if they had been targeted. Zoho did not share details on the number of customers affected.
A spokesperson for the Chennai-based company said it was putting in place further security measures. “We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required,” the spokesperson said.
According to Palo Alto Networks, the attackers’ motive was to maintain persistence in the victims’ networks.
“The objective appears to be to maintain long-term access to facilitate espionage,” online publication Tech Monitor quoted Ryan Olsen, VP of Unit 42, as saying.
The US-based cyber security firm’s Unit 42 said last week that the hackers exploited the known vulnerability to successfully infiltrate at least nine global organisations in critical sectors such as defence, energy, healthcare, education and technology.
The attack, which it said began on September 22 and likely continued until early October, targeted at least 370 of Zoho's ManageEngine servers in the United States.
Palo Alto Networks said the tactics and tooling used in the attacks were similar to that of Chinese hacking group Emissary Panda, though it has not been able to validate the actor behind the campaign.
It said it had detected over 11,000 servers running Godzilla Webshell, the malware that was deployed in the cyberattack.
The issue was first reported by the US Cybersecurity and Infrastructure Security Agency on September 16. Palo Alto Networks noticed the hacking campaign days after this alert.
ADVERTISEMENT
The vulnerability, in Zoho’s ManageEngine ADSelfService Plus solution, has since been patched.
“We have addressed an authentication bypass vulnerability in ManageEngine's ADSelfService Plus. The vulnerability affects REST API URLS and could result in Remote Code Execution. We released a patch and notified all our customers about the bug,” a spokesperson from ManageEngine said.
The company advised customers to update to the latest version of the software and detailed the ways to find out if they had been targeted. Zoho did not share details on the number of customers affected.
A spokesperson for the Chennai-based company said it was putting in place further security measures. “We are also taking steps to apply the lessons from this incident and to introduce additional security control measures wherever required,” the spokesperson said.
ADVERTISEMENT
According to Palo Alto Networks, the attackers’ motive was to maintain persistence in the victims’ networks.
“The objective appears to be to maintain long-term access to facilitate espionage,” online publication Tech Monitor quoted Ryan Olsen, VP of Unit 42, as saying.
ADVERTISEMENT
Download
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
Download
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
Related Articles
Palo Alto Networks warns AI-powered cyberattacks could overwhelm enterprises within months: Meerah Rajavel2026-06-02T00:30:00Z- Palo Alto Networks acquires Portkey; Tim Cook on Apple's India growth2026-05-01T13:31:15Z
- Palo Alto Networks to acquire AI infra firm Portkey; valuation may double to $140 million2026-05-01T03:09:34Z
ADVERTISEMENT
