Security News > 2021 > September > CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug

The FBI, CISA and the U.S. Coast Guard Cyber Command warned today that state-backed advanced persistent threat actors are likely among those who've been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month.

At issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution and thus open the corporate doors to attackers who can run amok, with free rein across users' Active Directory and cloud accounts.

Last Tuesday, Zoho issued a patch - Zoho ManageEngine ADSelfService Plus build 6114 - for the flaw, which is tracked as CVE-2021-40539 and which has a 9.8 severity rating.

"Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult," the security agencies advised, given that the attackers are running clean-up scripts designed to rub out their tracks by removing traces of the initial point of compromise and by obscuring any relationship between the exploitation of CVE-2021-40539 and the webshell.

"Even if the ADSelfService Plus server was not accessible from the internet, it would be accessible from any compromised laptop. Recovery will be expensive - 'domain-wide password resets and double Kerberos Ticket Granting Ticket password resets' are certainly disruptive by themselves, and the APT groups may have established other means of persistence in the intervening time."

"Users of Zoho's software should apply patches immediately to avoid the types of compromise described in the CISA bulletin," Nikkel said.

News URL

https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/