A new string of attacks has been recorded targeting companies that use ManageEngine ServiceDesk Plus provided by cloud platform firm Zoho, which had previously been the target of state-backed threat actors who exploited a zero-day vulnerability in its ADSelfService Plus password management solution, according to Threatpost.
Researchers from Palo Alto Networks Unit 42 reported that the new attacks, which were conducted between late October and November, increased the number of the attackers’ known victims so far from nine to 13. Unit 42 said they tracked the attackers’ initial observations on a U.S. financial company with a vulnerable version of ManageEngine ServiceDesk Plus that they likely intended to exploit. The activity soon expanded to six additional organizations, according to researchers, and the attacks began as early as Nov. 3.
Zoho later issued a security advisory Nov. 22 revealing a vulnerability in versions 11305 and older of its Manage Engine ServiceDesk Plus software, which allows attackers to perform unauthenticated remote code execution. Unit 42 said the attackers were likely targeting unpatched versions of the program but added that no proof-of-concept code for an exploit has been found so far.