FBI warns hackers could be exploiting critical Zoho bug

Organizations should update Zoho ADSelfService Plus now to avoid being targeted

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

In a new joint security advisory, the FBI, CISA and the Coast Guard Cyber Command (CGCYBER) are warning enterprise organizations that state-sponsored advanced persistent threat (APT) groups are actively exploiting a critical flaw in software fromZoho.

The vulnerability itself, tracked asCVE-2021-40539, was discovered in Zoho’s ManageEngine ADSelfService Plus software that provides bothsingle sign-onandpassword managementcapabilities. If this flaw is exploited successfully, it can allow an attacker to take over vulnerable systems on a company’s network.

This new joint security advisory comes on the heels of a similar warning recently issued by CISA alerting organizations that the security flaw, which can be exploited to achieve remote code execution, in Zoho’s software is being actively exploited in the wild.

CISA provided further details on how threat actors are exploiting this vulnerability in itsjoint security advisorywith the FBI and CGCYBER, saying:

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”

Lateral movement

When the authentication bypass vulnerability in ManageEngine ADSelfService has been exploited in the wild, attackers have leveraged it to deploy JavaServer Pages (JSP) web shells disguised as anX509 certificate.

By deploying this web shell, attackers are able to move laterally across an organization’s network using Windows Management Instrumentation (WMI) to gain access to domain controllers and dump NTDS.dit and SECURITY/SYSTEM registry hives according to anew reportfromBleepingComputer.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

It’s worth noting that the APT groups actively exploiting this vulnerability in the wild have launched attacks targeting organizations across a variety of industries including academia, defense, transportation, IT, manufacturing, communications, logistics and finance.

Organizations that use Zoho ManageEngine ADSelfService should update their software to thelatest versionwhich was released earlier this month and contains a patch for CVE-2021-40539. The FBI, CISA and CGCYBER also recommend that organizations ensure that ADSelfService Plus is not directly accessible from the internet to prevent falling victim to any potential attacks leveraging this vulnerability.

ViaBleepingComputer

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)