[TheRecord] State-sponsored hacking group targets Port of Houston using Zoho zero-day

A suspected state-sponsored hacking group has attempted to breach the network of the Port of Houston, one of the largest port authorities in the US, using a zero-day vulnerability in a Zoho user authentication appliance, CISA officials said in a Senate hearing today.

Port officials said they successfully defended the attack, and “no operational data or systems were impacted as a result” of the attempted intrusion.

The investigation into the attack resulted in CISA, the FBI, and the Coast Guard sending a joint advisory on September 16 warning US organizations about attacks carried out by a nation-state hacking group using the Zoho zero-day.

According to Matt Dahl, Principal Intelligence Analyst at security firm CrowdStrike, the zero-day had been used in attacks since late August.

ManageEngine Exploit (CVE-2021-40539)

* Limited use in targeted intrusion activity (Possibly a single actor, but unclear at this point)
* Actor(s) appeared to have a clear objective with ability to get in and get out quickly
* No known POC so exploit appears to be close-hold

2/

— Matt Dahl (@voodoodahl1) September 8, 2021

Zoho patched the vulnerability (CVE-2021-40539) on September 8, when CISA also issued a first warning of the ongoing attacks.

The attack has not yet been attributed to a specific foreign government

CISA officials said they have not yet attributed the attack against the Port of Houston to a specific hacking group or foreign government.

“[A]ttribution can always be complicated in terms of being able to dispositively say who that threat actor is,” CISA Director Jen Easterly told senators today in a meeting of the Senate Homeland Security and Governmental Affairs Committee.

“Certainly, the most sophisticated threat actors go to great lengths, as we saw with SolarWinds, to be able to cover their tracks and obfuscate their presence so that they can live for long times in networks and be able to extract data.

“But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable,” the CISA Director added, who categorized the attackers as a “nation-state actor” in an answer to a subsequent question.

Port of Houston officials did not return a request for comment seeking additional details about the attack.

The post State-sponsored hacking group targets Port of Houston using Zoho zero-day appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Online Pharmacy Service Ravkoo Discloses Data Breach

All posts, Security Week

United States-based online pharmacy service Ravkoo this week started notifying patients of a data breach that potentially resulted in the exposure of personal information. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[BleepingComputer] Empty npm package ‘-‘ has over 700,000 downloads — here’s why

A mysterious, one-letter npm package named “-” sitting on the registry since 2020 has received over 700,000 downloads. What’s more? The package contains no functional code, so what makes it score so many downloads? […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Two Carbanak Gang Members Sentenced to 8 Years in Prison

All posts, Security Week

Two members of the notorious Carbanak cybergang were sentenced to 8 years in prison, Kazakhstani authorities announced this week. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.