The FBI, CISA and CYGCYBER warned of newly identified critical vulnerability in Zoho ManageEngine ADSelfService Plus software.
- The FBI, CISA and CGCYBER warn that nation-state APT groups are actively exploiting a critical vulnerability in the Zoho ManageEngine ADSelfService Plus software.
- The vulnerability, tracked as CVE-2021-40539, impacts password management and single sign-on solution.
The FBI, CISA and CYGCYBER warned of newly identified critical vulnerability in Zoho ManageEngine ADSelfService Plus software.
The FBI, CISA and the Coast Guard Cyber Command (CGCYBER) today warned that nation-state APT groups are actively exploiting a critical flaw tracked as CVE-2021-40539 in a Zoho single sign-on and password management solution.
The vulnerability was found in the REST API URLs in ADSelfService Plus and could lead to remote code execution (RCE).
Zoho’s customer list includes "three out of five Fortune 500 companies," including Apple, Intel, Nike, PayPal, HBO, and many more.
CISA issued a warning last week alerting CVE-2021-40539 in the wild attacks that could allow threat actors to execute malicious code remotely on compromised systems.
"The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defence contractors, academic institutions, and other entities that use the software," the joint advisory warns.
In incidents where CVE-2021-40539 exploits have been used, attackers have been observed deploying a JavaServer Pages (JSP) web shell masqueraded as an x509 certificate.
“Subsequent requests are then made to different API endpoints to further exploit the victim’s system,” continues the alert. “After the initial exploitation, the JSP webshell is accessible at /help/admin-guide/Reports/ReportGenerate.jsp. The attacker then attempts to move laterally using Windows Management Instrumentation (WMI), gain access to a domain controller, dump NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, continues the compromised access.”
FBI, CISA and CGCYBER urge organisations to update their installs immediately. They also strongly recommend domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any evidence is found that the NTDS.dit file was compromised.
Impacted organisations should Immediately report the incident to CISA or the FBI.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?