Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have sounded the alarm over in-the-wild attacks targeting a recently disclosed vulnerability in Zoho’s ManageEngine ADSelfService Plus product.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have sounded the alarm over in-the-wild attacks targeting a recently disclosed vulnerability in Zoho’s ManageEngine ADSelfService Plus product.

Tracked as CVE-2021-40539 and rated critical severity (CVSS score of 9.8), the vulnerability has been exploited since August 2021 to execute code remotely and take over vulnerable systems.

Affecting the representational state transfer (REST) application programming interface (API) URLs of the self-service password management and single sign-on solution, the issue is an authentication bypass bug that affects all ADSelfService Plus builds up to 6113.

“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” reads a joint advisory issued on Thursday.

Academic institutions, critical infrastructure (communications, finance, IT, logistics, manufacturing, transportation, and others), and defense contractors are at risk of compromise because of their use of ADSelfService Plus.

“Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the advisory reads.

An attacker able to successfully exploit CVE-2021-40539 can upload a .zip archive containing a JavaServer Pages (JSP) webshell posing as an x509 certificate. The attacker then leverages Windows Management Instrumentation (WMI) for lateral movement. Adversaries also attempt to access domain controllers and expand access.

“Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell,” the joint advisory reads.

Advertisement. Scroll to continue reading.

The security defect was addressed in ADSelfService Plus build 6114 and customers are advised to update to it as soon as possible. Furthermore, the FBI, CISA, and CGCYBER strongly recommend that organizations keep ADSelfService Plus disconnected from the Internet.

Related: Recently Patched Confluence Vulnerability Exploited in the Wild

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

Related: CISA Issues Emergency Directive to Address ‘PrintNightmare’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Security awareness training firm KnowBe4 has named Bryan Palma as president and CEO effective May 5.

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.