A new active cyber-espionage campaign that has already compromised at least nine global organisations in the defence, education, energy, healthcare and technology sectors has been uncovered by Palo Alto's Unit 42.

According to the company, the objective appears to be to maintain long-term access to facilitate espionage. The tactics and tools of this actor are similar to the Chinese threat group, Emissary Panda.

At least 370 organisations across the United States were included in fairly broad scanning to identify vulnerable Zoho servers. Telemetry from their targeting shows connections between malicious servers and U.S. organisations, including Department of Defence agencies, defence contractors, educational institutions and healthcare organisations.

The attackers eventually compromised at least nine global organisations in the defence, education, energy, healthcare and technology industries.

"Our researchers have discovered that nine global organisations have fallen victim to a difficult-to-detect, ongoing espionage campaign that exploits known vulnerabilities in identity access software from Zoho that were patched in September," says Palo Alto Networks Asia Pacific - Japan, regional chief security officer, Sean Duca.

"Our report provides indicators of compromise that Zoho customers can use to determine if they've been breached by this attack," he says.

"We advise organisations in Australia's public and private sectors to install security patches for critical vulnerabilities as quickly as possible after they are released to avoid falling victim to similar types of attacks."

There are more than 11,000 internet-exposed systems around the globe running the affected Zoho software, according to scans with the Palo Alto Networks Cortex Xpanse platform. The scans did not indicate what percent of those systems have already been patched.

The difficult-to-detect attack exploits known vulnerabilities in Zoho's Manage Engine Self Service Plus (an identity and access management tool) that Zoho patched on 6 September 2021. These attacks began on 17 September, a day after CISA issued an alert about another campaign exploiting those same Zoho vulnerabilities.

"Unit 42 is releasing this information to help organisations uncover and remediate these difficult-to-find compromises. The research report is a call to action for organisations to quickly identify all servers running the vulnerable software and apply these patches ASAP," the company says.

Palo Alto Networks says it has incorporated protections into its security products. It has also shared file samples, indicators of compromise and other findings with government partners around the globe and fellow members of the Cyber Threat Alliance.

CTA members use such intelligence to rapidly deploy protections to their customers, and to systematically disrupt malicious cyber actors.

The findings underscore the need for organisations to quickly respond to disclosures of critical vulnerabilities by installing patches and taking other precautions to block attacks. This is especially the case for high-value targets in critical sectors that are constantly being probed for vulnerabilities.