State-sponsored hacking group targets Port of Houston using Zoho zero-day - The Record by Recorded Future

State-sponsored hacking group targets Port of Houston using Zoho zero-day
A suspected state-sponsored hacking group has attempted to breach the network of the Port of Houston, one of the largest port authorities in the US, using a zero-day vulnerability in a Zoho user authentication appliance, CISA officials said in a Senate hearing today.

Port officials said they successfully defended the attack, and “no operational data or systems were impacted as a result” of the attempted intrusion.

The investigation into the attack resulted in CISA, the FBI, and the Coast Guard sending a joint advisory on September 16 warning US organizations about attacks carried out by a nation-state hacking group using the Zoho zero-day.

According to Matt Dahl, Principal Intelligence Analyst at security firm CrowdStrike, the zero-day had been used in attacks since late August.


Zoho patched the vulnerability (CVE-2021-40539) on September 8, when CISA also issued a first warning of the ongoing attacks.

The attack has not yet been attributed to a specific foreign government
CISA officials said they have not yet attributed the attack against the Port of Houston to a specific hacking group or foreign government.

“[A]ttribution can always be complicated in terms of being able to dispositively say who that threat actor is,” CISA Director Jen Easterly told senators today in a meeting of the Senate Homeland Security and Governmental Affairs Committee.

“Certainly, the most sophisticated threat actors go to great lengths, as we saw with SolarWinds, to be able to cover their tracks and obfuscate their presence so that they can live for long times in networks and be able to extract data.

“But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable,” the CISA Director added, who categorized the attackers as a “nation-state actor” in an answer to a subsequent question.