In a new joint security advisory, the FBI, CISA and the Coast Guard Cyber Command (CGCYBER) are warning enterprise organizations that state-sponsored advanced persistent threat (APT (opens in new tab)) groups are actively exploiting a critical flaw in software from Zoho (opens in new tab).
The vulnerability itself, tracked as CVE-2021-40539 (opens in new tab), was discovered in Zoho's ManageEngine ADSelfService Plus software that provides both single sign-on (opens in new tab) and password management (opens in new tab) capabilities. If this flaw is exploited successfully, it can allow an attacker to take over vulnerable systems on a company's network.
This new joint security advisory comes on the heels of a similar warning recently issued by CISA alerting organizations that the security flaw, which can be exploited to achieve remote code execution, in Zoho's software is being actively exploited in the wild.
- We've assembled a list of the best web hosting (opens in new tab) services
- These are the best endpoint protection software (opens in new tab) solutions
- Also check out our roundup of the best firewall (opens in new tab)
CISA provided further details on how threat actors are exploiting this vulnerability in its joint security advisory (opens in new tab) with the FBI and CGCYBER, saying:
“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”
When the authentication bypass vulnerability in ManageEngine ADSelfService has been exploited in the wild, attackers have leveraged it to deploy JavaServer Pages (JSP) web shells disguised as an X509 certificate (opens in new tab).
By deploying this web shell, attackers are able to move laterally across an organization's network using Windows Management Instrumentation (WMI) to gain access to domain controllers and dump NTDS.dit and SECURITY/SYSTEM registry hives according to a new report (opens in new tab) from BleepingComputer.
It's worth noting that the APT groups actively exploiting this vulnerability in the wild have launched attacks targeting organizations across a variety of industries including academia, defense, transportation, IT, manufacturing, communications, logistics and finance.
Organizations that use Zoho ManageEngine ADSelfService should update their software to the latest version (opens in new tab) which was released earlier this month and contains a patch for CVE-2021-40539. The FBI, CISA and CGCYBER also recommend that organizations ensure that ADSelfService Plus is not directly accessible from the internet to prevent falling victim to any potential attacks leveraging this vulnerability.
- We've also featured the best antivirus (opens in new tab)
Via BleepingComputer (opens in new tab)