State-sponsored hacking group targets Port of Houston using Zoho zero-day
A suspected state-sponsored hacking group has attempted to breach the network of the Port of Houston, one of the largest port authorities in the US, using a zero-day vulnerability in a Zoho user authentication appliance, CISA officials said in a Senate hearing today.
Port officials said they successfully defended the attack, and "no operational data or systems were impacted as a result" of the attempted intrusion.
The investigation into the attack resulted in CISA, the FBI, and the Coast Guard sending a joint advisory on September 16 warning US organizations about attacks carried out by a nation-state hacking group using the Zoho zero-day.
According to Matt Dahl, Principal Intelligence Analyst at security firm CrowdStrike, the zero-day had been used in attacks since late August.
ManageEngine Exploit (CVE-2021-40539)— Matt Dahl (@voodoodahl1) September 8, 2021
* Limited use in targeted intrusion activity (Possibly a single actor, but unclear at this point)
* Actor(s) appeared to have a clear objective with ability to get in and get out quickly
* No known POC so exploit appears to be close-hold
Zoho patched the vulnerability (CVE-2021-40539) on September 8, when CISA also issued a first warning of the ongoing attacks.
The attack has not yet been attributed to a specific foreign government
CISA officials said they have not yet attributed the attack against the Port of Houston to a specific hacking group or foreign government.
"[A]ttribution can always be complicated in terms of being able to dispositively say who that threat actor is," CISA Director Jen Easterly told senators today in a meeting of the Senate Homeland Security and Governmental Affairs Committee.
"Certainly, the most sophisticated threat actors go to great lengths, as we saw with SolarWinds, to be able to cover their tracks and obfuscate their presence so that they can live for long times in networks and be able to extract data.
"But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable," the CISA Director added, who categorized the attackers as a "nation-state actor" in an answer to a subsequent question.
Port of Houston officials did not return a request for comment seeking additional details about the attack.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.