Security News > 2021 > September > CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug
The FBI, CISA and the U.S. Coast Guard Cyber Command warned today that state-backed advanced persistent threat actors are likely among those who've been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month.
At issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution and thus open the corporate doors to attackers who can run amok, with free rein across users' Active Directory and cloud accounts.
Last Tuesday, Zoho issued a patch - Zoho ManageEngine ADSelfService Plus build 6114 - for the flaw, which is tracked as CVE-2021-40539 and which has a 9.8 severity rating.
"Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult," the security agencies advised, given that the attackers are running clean-up scripts designed to rub out their tracks by removing traces of the initial point of compromise and by obscuring any relationship between the exploitation of CVE-2021-40539 and the webshell.
"Even if the ADSelfService Plus server was not accessible from the internet, it would be accessible from any compromised laptop. Recovery will be expensive - 'domain-wide password resets and double Kerberos Ticket Granting Ticket password resets' are certainly disruptive by themselves, and the APT groups may have established other means of persistence in the intervening time."
"Users of Zoho's software should apply patches immediately to avoid the types of compromise described in the CISA bulletin," Nikkel said.
News URL
https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/
Related news
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- CISA, FBI Issue Guidance for Securing Communications Infrastructure (source)
- CISA confirms critical Cleo bug exploitation in ransomware attacks (source)
- CISA and FBI Raise Alerts on Exploited Flaws and Expanding HiatusRAT Campaign (source)
- CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-07 | CVE-2021-40539 | Use of Incorrectly-Resolved Name or Reference vulnerability in Zohocorp Manageengine Adselfservice Plus Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. | 9.8 |