In a new joint security advisory, the FBI, CISA and the Coast Guard Cyber Command (CGCYBER) are warning enterprise organizations that state-sponsored advanced persistent threat (APT) groups are actively exploiting a critical flaw in software from Zoho.
The vulnerability itself, tracked as CVE-2021-40539, was discovered in Zoho’s ManageEngine ADSelfService Plus software that provides both single sign-on and password management capabilities. If this flaw is exploited successfully, it can allow an attacker to take over vulnerable systems on a company’s network.
This new joint security advisory comes on the heels of a similar warning recently issued by CISA alerting organizations that the security flaw, which can be exploited to achieve remote code execution, in Zoho’s software is being actively exploited in the wild.
CISA provided further details on how threat actors are exploiting this vulnerability in its joint security advisory with the FBI and CGCYBER, saying:
“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”
When the authentication bypass vulnerability in ManageEngine ADSelfService has been exploited in the wild, attackers have leveraged it to deploy JavaServer Pages (JSP) web shells disguised as an X509 certificate.
By deploying this web shell, attackers are able to move laterally across an organization’s network using Windows Management Instrumentation (WMI) to gain access to domain controllers and dump NTDS.dit and SECURITY/SYSTEM registry hives according to a new report from BleepingComputer.
It’s worth noting that the APT groups actively exploiting this vulnerability in the wild have launched attacks targeting organizations across a variety of industries including academia, defense, transportation, IT, manufacturing, communications, logistics and finance.
Organizations that use Zoho ManageEngine ADSelfService should update their software to the latest version which was released earlier this month and contains a patch for CVE-2021-40539. The FBI, CISA and CGCYBER also recommend that organizations ensure that ADSelfService Plus is not directly accessible from the internet to prevent falling victim to any potential attacks leveraging this vulnerability.