Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Global Companies Compromised via ADSelfService Plus Exploitation

At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.

At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.

The vulnerability was made public in early September when zero-day attacks were discovered exploiting CVE-2021-40539, a critical severity (CVSS 9.8) flaw that allows attackers to bypass authentication on the self-service password management and single sign-on solution.

Immediately after, Zoho provided patches for the underlying security defects and the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert to urge administrators to review and apply the patches as soon as possible.

A week later, CISA, the FBI, and the Coast Guard Cyber Command (CGCYBER) issued an advisory to warn of advanced persistent threat (APT) actors targeting the vulnerability in attacks, underlining that academic institutions, critical infrastructure, and defense contractors are at risk the most.

[ READ: Zoho Confirms Zero-Day Authentication Bypass Attacks ]

According to Palo Alto Networks researchers, following the scanning of hundreds of vulnerable ADSelfService Plus deployments on September 17, adversaries started actual exploitation attempts on September 22.

“During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries,” Palo Alto Networks said in a research report.

Following the initial compromise, the threat actor installed a Godzilla webshell onto the vulnerable systems while some organizations were also infected with a new version of the NGLite backdoor. Both are publicly available on GitHub.

Leveraging these tools, the adversaries then moved laterally onto the compromised network and exfiltrated data of interest. On domain controllers, the attackers installed the KdcSponge credential-stealing tool.

Palo Alto Networks said it was unable to associate the activity with a known adversary, but did observe similarities with the tactics and tooling used by Emissary Panda (TG-3390, APT27).

Consistent across the attacks was the fact that sensitive files were exfiltrated through password-protected multi-volume RAR archives that were downloaded directly from externally facing web servers.

“[We] believe that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” the Palo Alto Networks researchers added.

Related: CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch

Related: Port of Houston Target of Suspected Nation-State Hack

Related: U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.