CISA Warns About APT Actors Targeting Zoho ManageEngine ADSelfService Plus Flaw
Published on September 17, 2021
- Zoho ManageEngine ADSelfService Plus is under attack by sophisticated and stealthy APTs.
- The actors have figured a way to hide their activities while blending with the daily network traffic.
- Updating is the only way to mitigate the issue, but some may first need to find and uproot webshells.
The critical REST API authentication bypass the remote code execution flaw in the Zoho ManageEngine ADSelfService Plus version 6113 and older, which is tracked as "CVE-2021-40539" is under active exploitation by sophisticated APT actors. CISA has issued a joint advisory together with the FBI and the U.S. Coast Guard Cyber Command, highlighting the threat and urging all admins responsible for the deployment of the vulnerable component to upgrade to the latest available version. Zoho released a fixing update on September 6, 2021, with version 6114, but only ten days after that, many deployments remain unpatched.
As the report details, actors are exploiting CVE-2021-40539 to upload a ZIP file on the target endpoint. That file contains a JavaServer Pages (JSP) webshell masquerading as an x509 certificate, essentially opening the way to lateral movement on the network using WMI, accessing a domain controller, and dumping NTDS.dit and SECURITY/SYSTEM registry hives.
Although detecting the intrusion is hard because these hackers know how to clean the trace of the initial point of compromise and then hide their presence among regular daily activities, CISA has collected some evidence that goes as far back as early August 2021. The targets that APT actors focus on right now include defense contractors, academic institutions, and entities that support critical infrastructure like transportation, IT, logistics, communications, etc.
The TTPs (tactics, techniques, procedures) listed in the report are the following:
- Frequently writing webshells to disk for initial persistence
- Obfuscating and Deobfuscating/Decoding Files or Information
- Conducting further operations to dump user credentials
- Living off the land by only using signed Windows binaries for follow-on actions
- Adding/deleting user accounts as needed
- Stealing copies of the Active Directory database (NTDS.dit) or registry hives
- Using Windows Management Instrumentation (WMI) for remote execution
- Deleting files to remove indicators from the host
- Discovering domain accounts with the net Windows command
- Using Windows utilities to collect and archive files for exfiltration
- Using custom symmetric encryption for command and control (C2)
Sean Nikkel, a threat intelligence analyst at Digital Shadows, has shared the following comment with TechNadu:
Updating to Zoho ManageEngine ADSelfService Plus build 6114 is the best way to defend against these attacks. Still, since the fix came out after the first attacks were detected, admins are advised to scrutinize their networks for the aforementioned indicators (TTPs) to determine if they have already been compromised.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular