Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have sounded the alarm over in-the-wild attacks targeting a recently disclosed vulnerability in Zoho’s ManageEngine ADSelfService Plus product.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have sounded the alarm over in-the-wild attacks targeting a recently disclosed vulnerability in Zoho’s ManageEngine ADSelfService Plus product.

Tracked as CVE-2021-40539 and rated critical severity (CVSS score of 9.8), the vulnerability has been exploited since August 2021 to execute code remotely and take over vulnerable systems.

Affecting the representational state transfer (REST) application programming interface (API) URLs of the self-service password management and single sign-on solution, the issue is an authentication bypass bug that affects all ADSelfService Plus builds up to 6113.

“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” reads a joint advisory issued on Thursday.

Academic institutions, critical infrastructure (communications, finance, IT, logistics, manufacturing, transportation, and others), and defense contractors are at risk of compromise because of their use of ADSelfService Plus.

“Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the advisory reads.

An attacker able to successfully exploit CVE-2021-40539 can upload a .zip archive containing a JavaServer Pages (JSP) webshell posing as an x509 certificate. The attacker then leverages Windows Management Instrumentation (WMI) for lateral movement. Adversaries also attempt to access domain controllers and expand access.

“Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell,” the joint advisory reads.

The security defect was addressed in ADSelfService Plus build 6114 and customers are advised to update to it as soon as possible. Furthermore, the FBI, CISA, and CGCYBER strongly recommend that organizations keep ADSelfService Plus disconnected from the Internet.

Related: Recently Patched Confluence Vulnerability Exploited in the Wild

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

Related: CISA Issues Emergency Directive to Address ‘PrintNightmare’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.