In a new joint security advisory, the FBI, CISA and the Coast Guard Cyber Command (CGCYBER) warn business organizations that government-sponsored Advanced Persistent Threat (APT) groups are actively exploiting a critical bug in Zoho’s software.
The vulnerability itself, tracked as CVE-2021-40539, was discovered in Zoho’s ManageEngine ADSelfService Plus software, which provides both single sign-on and password management capabilities. If this error is successfully exploited, an attacker can take over vulnerable systems in the company network.
This new common security advisory follows a similar warning recently issued by CISA to warn organizations that the vulnerability that can be exploited to achieve remote code execution is being actively exploited in Zoho’s software in the wild.
CISA has provided further details on how threat actors exploit this vulnerability in its joint security advisory with the FBI and CGCYBER:
“Use of ManageEngine ADSelfService Plus presents a serious risk to critical infrastructure companies, US-licensed defense companies, academic institutions, and other institutions using the software. Successful exploitation of the vulnerability allows an attacker to place webshells that allow the adversary to perform post-exploitation activities, such as:
When exploited in the wild, the ManageEngine ADSelfService authentication bypass vulnerability was exploited to provide JavaServer Pages (JSP) web shells disguised as an X509 certificate.
By providing this web shell, attackers can use Windows Management Instrumentation (WMI) to sideways across an organization’s network to gain access to domain controllers and NTDS.dit and SECURITY / SYSTEM registry hives, according to a new report from BleepingComputer.
It’s worth noting that the APT groups that are actively exploiting this vulnerability have launched attacks against organizations in a variety of industries including science, defense, transportation, IT, manufacturing, communications, logistics, and finance.
Organizations using Zoho ManageEngine ADSelfService should update their software to the latest version, which was released earlier this month and includes a patch for CVE-2021-40539. The FBI, CISA, and CGCYBER also recommend that companies ensure that ADSelfService Plus is not directly accessible on the Internet to prevent them from falling victim to potential attacks that exploit this vulnerability.