It Seems that State-backed APT Groups Are Actively Exploiting a Critical Flaw in Zoho.
Last updated on September 17, 2021
The vulnerability in question exists in the single sign-on and password management solution since early August 2021.
Zoho Corporation is an Indian multinational technology company that creates web-based business tools, being known for its online office suite named Zoho.
The vulnerability, tracked as CVE-2021-40539 was discovered in the Zoho ManageEngine ADSelfService Plus software.
The vulnerability in question can allow attackers to take over vulnerable systems following successful exploitation.
The above-mentioned security advisory comes after a previous warning that was issued by CISA.
CISA was then explaining that the CVE-2021-40539 was being used in the wild attacks that were able to allow the threat actors to execute malicious code remotely on compromised systems.
CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
In the attacks in which the CVE-2021-40539 exploits were being used, the attackers have been apparently deploying a JavaServer Pages (JSP) web shell camouflaged as an x509 certificate.
X.509 is an International Telecommunication Union (ITU) standard that is defining the format of public-key certificates. These certificates are used in many Internet protocols. The X.509 certificate binds an identity to a public key using a digital signature.
The deployed web shell is then used for making lateral movements through the Windows Management Instrumentation (WMI) in order to access the domain controllers and dump NTDS.dit and SECURITY/SYSTEM registry hives.
Until recently, the APT organizations responsible for these assaults have targeted a wide range of industries, including academic institutions, defense contractors, and critical infrastructure entities (e.g., transportation, IT, manufacturing, communications, logistics, and finance).
The business stated in a later security notification that it is “noticing indicators of this vulnerability being exploited” in the wild.
The FBI, CISA, and CGCYBER strongly advise businesses to use the ADSelfService Plus build 6114 upgrades as soon as possible and to ensure that the ADSelfService Plus is not directly accessible from the Internet.
Additionally, FBI, CISA, and CGCYBER strongly recommend domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the NTDS.dit file was compromised.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.