Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

U.S. Agencies Share More Details on ADSelfService Plus Vulnerability Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have shared new details on in-the-wild attacks targeting a recently patched flaw in Zoho’s ManageEngine ADSelfService Plus product.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have shared new details on in-the-wild attacks targeting a recently patched flaw in Zoho’s ManageEngine ADSelfService Plus product.

Tracked as CVE-2021-40539, the critical severity bug (CVSS 9.8) was already being targeted in attacks when Zoho released patches for the self-service password management and single sign-on utility in September 2021.

The issue resides in the representational state transfer (REST) application programming interface (API) URLs, allowing attackers to bypass authentication and execute code remotely, ultimately taking over a vulnerable system.

One week after Zoho announced the release of patches for the vulnerability, U.S. security response agencies warned that advanced persistent threat (APT) actors were likely targeting the vulnerability in attacks, urging organizations to apply the available patches as a matter of urgency.

Organizations at risk, the U.S. agencies said, include academic institutions, critical infrastructure and defense contractors.

[ READ: Global Companies Compromised via Zoho ADSelfService Plus Flaw ]

CISA, the FBI and CGCYBER on Friday updated an alert to add more details on the exploitation of CVE-2021-40539, noting that the observed attacks are characterized by the use of a dropper Trojan designed to deploy the Godzilla Chinese language webshell on the vulnerable systems.

In addition, the agencies said the threat actor was observed using NGLite (a Go backdoor Trojan) and KdcSponge (a tool designed to steal credentials through the targeting of undocumented APIs in Microsoft’s implementation of Kerberos).

“The FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector,” according to the latest advisory.

Related: Global Companies Compromised via ADSelfService Plus Exploitation

Related: U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.