Threat Group Takes Aim Again at Cloud Platform Provider Zoho

State-backed adversaries expanded attacks against cloud platform company Zoho and its ManageEngine ServiceDesk Plus software, a help desk and asset management solution. A recent campaign marks an uptick in attacks against the firm’s platform, which have also included past targeting of Zoho’s ADSelfService Plus. This most recent campaign, reported by Palo Alto Networks Unit 42 this week, dovetails warnings in September by the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) of similar attacks. That targeting included an unspecified APT exploiting a then zero-day vulnerability in Zoho’s password management solution called ADSelfService Plus. In the Unit 42 report, authored by Robert Falcone and Peter Renals, researchers said the most recent activity was tracked between late October and November. During that time, attackers began reconnaissance efforts against a U.S. financial organization running a vulnerable version of ManageEngine ServiceDesk Plus, they wrote. “In the days that followed, we observed similar activity across six other organizations, with exploitation against one U.S. defense organization and one tech organization beginning as early as Nov. 3,” researchers said. Unit 42 is now tracking the two active attack fronts against Zoho’s ManageEngine as the “TitledTemple” campaign and have evidence to believe that the attackers are from China, though “attribution is still ongoing,” the researchers said. Back in November, Unit 42 said it observed correlations…