Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

U.S. Agencies Share More Details on ADSelfService Plus Vulnerability Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have shared new details on in-the-wild attacks targeting a recently patched flaw in Zoho’s ManageEngine ADSelfService Plus product.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have shared new details on in-the-wild attacks targeting a recently patched flaw in Zoho’s ManageEngine ADSelfService Plus product.

Tracked as CVE-2021-40539, the critical severity bug (CVSS 9.8) was already being targeted in attacks when Zoho released patches for the self-service password management and single sign-on utility in September 2021.

The issue resides in the representational state transfer (REST) application programming interface (API) URLs, allowing attackers to bypass authentication and execute code remotely, ultimately taking over a vulnerable system.

One week after Zoho announced the release of patches for the vulnerability, U.S. security response agencies warned that advanced persistent threat (APT) actors were likely targeting the vulnerability in attacks, urging organizations to apply the available patches as a matter of urgency.

Organizations at risk, the U.S. agencies said, include academic institutions, critical infrastructure and defense contractors.

[ READ: Global Companies Compromised via Zoho ADSelfService Plus Flaw ]

CISA, the FBI and CGCYBER on Friday updated an alert to add more details on the exploitation of CVE-2021-40539, noting that the observed attacks are characterized by the use of a dropper Trojan designed to deploy the Godzilla Chinese language webshell on the vulnerable systems.

In addition, the agencies said the threat actor was observed using NGLite (a Go backdoor Trojan) and KdcSponge (a tool designed to steal credentials through the targeting of undocumented APIs in Microsoft’s implementation of Kerberos).

Advertisement. Scroll to continue reading.

“The FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector,” according to the latest advisory.

Related: Global Companies Compromised via ADSelfService Plus Exploitation

Related: U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.