[TheRecord] State-sponsored hacking group targets Port of Houston using Zoho zero-day

A suspected state-sponsored hacking group has attempted to breach the network of the Port of Houston, one of the largest port authorities in the US, using a zero-day vulnerability in a Zoho user authentication appliance, CISA officials said in a Senate hearing today.

Port officials said they successfully defended the attack, and “no operational data or systems were impacted as a result” of the attempted intrusion.

The investigation into the attack resulted in CISA, the FBI, and the Coast Guard sending a joint advisory on September 16 warning US organizations about attacks carried out by a nation-state hacking group using the Zoho zero-day.

According to Matt Dahl, Principal Intelligence Analyst at security firm CrowdStrike, the zero-day had been used in attacks since late August.

ManageEngine Exploit (CVE-2021-40539)

* Limited use in targeted intrusion activity (Possibly a single actor, but unclear at this point)
* Actor(s) appeared to have a clear objective with ability to get in and get out quickly
* No known POC so exploit appears to be close-hold

2/

— Matt Dahl (@voodoodahl1) September 8, 2021

Zoho patched the vulnerability (CVE-2021-40539) on September 8, when CISA also issued a first warning of the ongoing attacks.

The attack has not yet been attributed to a specific foreign government

CISA officials said they have not yet attributed the attack against the Port of Houston to a specific hacking group or foreign government.

“[A]ttribution can always be complicated in terms of being able to dispositively say who that threat actor is,” CISA Director Jen Easterly told senators today in a meeting of the Senate Homeland Security and Governmental Affairs Committee.

“Certainly, the most sophisticated threat actors go to great lengths, as we saw with SolarWinds, to be able to cover their tracks and obfuscate their presence so that they can live for long times in networks and be able to extract data.

“But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable,” the CISA Director added, who categorized the attackers as a “nation-state actor” in an answer to a subsequent question.

Port of Houston officials did not return a request for comment seeking additional details about the attack.

The post State-sponsored hacking group targets Port of Houston using Zoho zero-day appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2019-08-13

Attackers could use this coding bug to turn BIG-IP load balancers against organizations blog.f-secure.com/command-injection-in-f5-irules/ During a routine security assessment, F-Secure Senior Security Consultant Christoffer Jerkeby discovered that an obscure coding bug could allow attackers to exploit F5 Networks popular BIG-IP load balancer. Further research found that, following a successful exploit, an adversary could turn the […]

Read More

[ThreatPost] Thousands of Fortinet VPN Account Credentials Leaked

All posts, ThreatPost

They were posted for free by former Babuk gang members who’ve bickered, squabbled and huffed off to start their own darn ransomware businesses, dagnabbit. Source: Read More (Threatpost)

Read More

[SecurityWeek] Decryption Key for Ransomware Delivered via Kaseya Attack Made Public

All posts, Security Week

A key that can be used to decrypt files encrypted by the REvil ransomware delivered as part of the Kaseya attack has been made public. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.