The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have shared new details on in-the-wild attacks targeting a recently patched flaw in Zoho’s ManageEngine ADSelfService Plus product.
Tracked as CVE-2021-40539, the critical severity bug (CVSS 9.8) was already being targeted in attacks when Zoho released patches for the self-service password management and single sign-on utility in September 2021.
The issue resides in the representational state transfer (REST) application programming interface (API) URLs, allowing attackers to bypass authentication and execute code remotely, ultimately taking over a vulnerable system.
One week after Zoho announced the release of patches for the vulnerability, U.S. security response agencies warned that advanced persistent threat (APT) actors were likely targeting the vulnerability in attacks, urging organizations to apply the available patches as a matter of urgency.
Organizations at risk, the U.S. agencies said, include academic institutions, critical infrastructure and defense contractors.
[ READ: Global Companies Compromised via Zoho ADSelfService Plus Flaw ]
CISA, the FBI and CGCYBER on Friday updated an alert to add more details on the exploitation of CVE-2021-40539, noting that the observed attacks are characterized by the use of a dropper Trojan designed to deploy the Godzilla Chinese language webshell on the vulnerable systems.
In addition, the agencies said the threat actor was observed using NGLite (a Go backdoor Trojan) and KdcSponge (a tool designed to steal credentials through the targeting of undocumented APIs in Microsoft’s implementation of Kerberos).
“The FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector,” according to the latest advisory.
Related: Global Companies Compromised via ADSelfService Plus Exploitation
Related: U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day
More from Ionut Arghire
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- New Wi-Fi Attack Allows Traffic Interception, Security Bypass
- Casino Giant Crown Resorts Investigating Ransomware Group’s Data Theft Claims
- Over 200 Organizations Targeted in Chinese Cyberespionage Campaign
- Nigerian BEC Scammer Sentenced to Prison in US
Latest News
- Anti-Bot Software Firm DataDome Banks $42M Financing
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Why Endpoint Resilience Matters
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- UK Introduces Mass Surveillance With Online Safety Bill
