TiltedTemple Campaign, APT27

Activity has been reported from Threat Group 3390/APT27 on November 7th, 2021. PaloAlto Unit42 identified four more compromised  organizations since September 16th, 2021. Initially, these involved exploiting Zoho's ManageEngine ADSelfService Plus, registered as CVE-2021-40539. A shift in tactics was observed between October 25th and November 8th, with the intention of exploiting Zoho's ManageEngine ServiceDesk Plus, CVE-2021-44077. This vulnerability involved an unauthenticated remote code execution, which currently no PoC code exists, leading to the assumption the threat actor group developed their own exploit for. As described by Unit42 "The exploit requires a malicious actor to issue two requests to the REST API. The first is to upload an executable specifically named msiexec.exe and the second request launches the msiexec.exe payload. Both of these requests are required for successful exploitation, and both are initiated remotely via the REST API without requiring authentication to the ServiceDesk server." Through the combination of activities, PaloAlto is tracking the campaign as "TiltedTemple."