Security News > 2021 > September > CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug

The FBI, CISA and the U.S. Coast Guard Cyber Command warned today that state-backed advanced persistent threat actors are likely among those who've been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month.
At issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution and thus open the corporate doors to attackers who can run amok, with free rein across users' Active Directory and cloud accounts.
Last Tuesday, Zoho issued a patch - Zoho ManageEngine ADSelfService Plus build 6114 - for the flaw, which is tracked as CVE-2021-40539 and which has a 9.8 severity rating.
"Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult," the security agencies advised, given that the attackers are running clean-up scripts designed to rub out their tracks by removing traces of the initial point of compromise and by obscuring any relationship between the exploitation of CVE-2021-40539 and the webshell.
"Even if the ADSelfService Plus server was not accessible from the internet, it would be accessible from any compromised laptop. Recovery will be expensive - 'domain-wide password resets and double Kerberos Ticket Granting Ticket password resets' are certainly disruptive by themselves, and the APT groups may have established other means of persistence in the intervening time."
"Users of Zoho's software should apply patches immediately to avoid the types of compromise described in the CISA bulletin," Nikkel said.
News URL
https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/
Related news
- CISA and FBI: Ghost ransomware breached orgs in 70 countries (source)
- CISA tags critical Ivanti EPM flaws as actively exploited in attacks (source)
- CISA: Medusa ransomware hit over 300 critical infrastructure orgs (source)
- Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-07 | CVE-2021-40539 | Use of Incorrectly-Resolved Name or Reference vulnerability in Zohocorp Manageengine Adselfservice Plus Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. | 9.8 |