The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have shared new details on in-the-wild attacks targeting a recently patched flaw in Zoho’s ManageEngine ADSelfService Plus product.
Tracked as CVE-2021-40539, the critical severity bug (CVSS 9.8) was already being targeted in attacks when Zoho released patches for the self-service password management and single sign-on utility in September 2021.
The issue resides in the representational state transfer (REST) application programming interface (API) URLs, allowing attackers to bypass authentication and execute code remotely, ultimately taking over a vulnerable system.
One week after Zoho announced the release of patches for the vulnerability, U.S. security response agencies warned that advanced persistent threat (APT) actors were likely targeting the vulnerability in attacks, urging organizations to apply the available patches as a matter of urgency.
Organizations at risk, the U.S. agencies said, include academic institutions, critical infrastructure and defense contractors.
CISA, the FBI and CGCYBER on Friday updated an alert to add more details on the exploitation of CVE-2021-40539, noting that the observed attacks are characterized by the use of a dropper Trojan designed to deploy the Godzilla Chinese language webshell on the vulnerable systems.
In addition, the agencies said the threat actor was observed using NGLite (a Go backdoor Trojan) and KdcSponge (a tool designed to steal credentials through the targeting of undocumented APIs in Microsoft’s implementation of Kerberos).
“The FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector,” according to the latest advisory.