Security Experts:

U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have sounded the alarm over in-the-wild attacks targeting a recently disclosed vulnerability in Zoho’s ManageEngine ADSelfService Plus product.

Tracked as CVE-2021-40539 and rated critical severity (CVSS score of 9.8), the vulnerability has been exploited since August 2021 to execute code remotely and take over vulnerable systems.

Affecting the representational state transfer (REST) application programming interface (API) URLs of the self-service password management and single sign-on solution, the issue is an authentication bypass bug that affects all ADSelfService Plus builds up to 6113.

“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” reads a joint advisory issued on Thursday.

Academic institutions, critical infrastructure (communications, finance, IT, logistics, manufacturing, transportation, and others), and defense contractors are at risk of compromise because of their use of ADSelfService Plus.

“Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the advisory reads.

An attacker able to successfully exploit CVE-2021-40539 can upload a .zip archive containing a JavaServer Pages (JSP) webshell posing as an x509 certificate. The attacker then leverages Windows Management Instrumentation (WMI) for lateral movement. Adversaries also attempt to access domain controllers and expand access.

“Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell,” the joint advisory reads.

The security defect was addressed in ADSelfService Plus build 6114 and customers are advised to update to it as soon as possible. Furthermore, the FBI, CISA, and CGCYBER strongly recommend that organizations keep ADSelfService Plus disconnected from the Internet.

Related: Recently Patched Confluence Vulnerability Exploited in the Wild

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

Related: CISA Issues Emergency Directive to Address 'PrintNightmare' Vulnerability

view counter