Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Global Companies Compromised via ADSelfService Plus Exploitation

At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.

At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.

The vulnerability was made public in early September when zero-day attacks were discovered exploiting CVE-2021-40539, a critical severity (CVSS 9.8) flaw that allows attackers to bypass authentication on the self-service password management and single sign-on solution.

Immediately after, Zoho provided patches for the underlying security defects and the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert to urge administrators to review and apply the patches as soon as possible.

A week later, CISA, the FBI, and the Coast Guard Cyber Command (CGCYBER) issued an advisory to warn of advanced persistent threat (APT) actors targeting the vulnerability in attacks, underlining that academic institutions, critical infrastructure, and defense contractors are at risk the most.

[ READ: Zoho Confirms Zero-Day Authentication Bypass Attacks ]

According to Palo Alto Networks researchers, following the scanning of hundreds of vulnerable ADSelfService Plus deployments on September 17, adversaries started actual exploitation attempts on September 22.

“During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries,” Palo Alto Networks said in a research report.

Following the initial compromise, the threat actor installed a Godzilla webshell onto the vulnerable systems while some organizations were also infected with a new version of the NGLite backdoor. Both are publicly available on GitHub.

Leveraging these tools, the adversaries then moved laterally onto the compromised network and exfiltrated data of interest. On domain controllers, the attackers installed the KdcSponge credential-stealing tool.

Palo Alto Networks said it was unable to associate the activity with a known adversary, but did observe similarities with the tactics and tooling used by Emissary Panda (TG-3390, APT27).

Consistent across the attacks was the fact that sensitive files were exfiltrated through password-protected multi-volume RAR archives that were downloaded directly from externally facing web servers.

“[We] believe that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” the Palo Alto Networks researchers added.

Related: CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch

Related: Port of Houston Target of Suspected Nation-State Hack

Related: U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.