At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.
The vulnerability was made public in early September when zero-day attacks were discovered exploiting CVE-2021-40539, a critical severity (CVSS 9.8) flaw that allows attackers to bypass authentication on the self-service password management and single sign-on solution.
Immediately after, Zoho provided patches for the underlying security defects and the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert to urge administrators to review and apply the patches as soon as possible.
A week later, CISA, the FBI, and the Coast Guard Cyber Command (CGCYBER) issued an advisory to warn of advanced persistent threat (APT) actors targeting the vulnerability in attacks, underlining that academic institutions, critical infrastructure, and defense contractors are at risk the most.
According to Palo Alto Networks researchers, following the scanning of hundreds of vulnerable ADSelfService Plus deployments on September 17, adversaries started actual exploitation attempts on September 22.
“During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries,” Palo Alto Networks said in a research report.
Following the initial compromise, the threat actor installed a Godzilla webshell onto the vulnerable systems while some organizations were also infected with a new version of the NGLite backdoor. Both are publicly available on GitHub.
Leveraging these tools, the adversaries then moved laterally onto the compromised network and exfiltrated data of interest. On domain controllers, the attackers installed the KdcSponge credential-stealing tool.
Palo Alto Networks said it was unable to associate the activity with a known adversary, but did observe similarities with the tactics and tooling used by Emissary Panda (TG-3390, APT27).
Consistent across the attacks was the fact that sensitive files were exfiltrated through password-protected multi-volume RAR archives that were downloaded directly from externally facing web servers.
“[We] believe that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” the Palo Alto Networks researchers added.