At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.
The vulnerability was made public in early September when zero-day attacks were discovered exploiting CVE-2021-40539, a critical severity (CVSS 9.8) flaw that allows attackers to bypass authentication on the self-service password management and single sign-on solution.
Immediately after, Zoho provided patches for the underlying security defects and the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert to urge administrators to review and apply the patches as soon as possible.
A week later, CISA, the FBI, and the Coast Guard Cyber Command (CGCYBER) issued an advisory to warn of advanced persistent threat (APT) actors targeting the vulnerability in attacks, underlining that academic institutions, critical infrastructure, and defense contractors are at risk the most.
[ READ: Zoho Confirms Zero-Day Authentication Bypass Attacks ]
According to Palo Alto Networks researchers, following the scanning of hundreds of vulnerable ADSelfService Plus deployments on September 17, adversaries started actual exploitation attempts on September 22.
“During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries,” Palo Alto Networks said in a research report.
Following the initial compromise, the threat actor installed a Godzilla webshell onto the vulnerable systems while some organizations were also infected with a new version of the NGLite backdoor. Both are publicly available on GitHub.
Leveraging these tools, the adversaries then moved laterally onto the compromised network and exfiltrated data of interest. On domain controllers, the attackers installed the KdcSponge credential-stealing tool.
Palo Alto Networks said it was unable to associate the activity with a known adversary, but did observe similarities with the tactics and tooling used by Emissary Panda (TG-3390, APT27).
Consistent across the attacks was the fact that sensitive files were exfiltrated through password-protected multi-volume RAR archives that were downloaded directly from externally facing web servers.
“[We] believe that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” the Palo Alto Networks researchers added.
Related: CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch
Related: Port of Houston Target of Suspected Nation-State Hack
Related: U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

More from Ionut Arghire
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
Latest News
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- Anti-Bot Software Firm DataDome Banks $42M Financing
