- Zoho ManageEngine ADSelfService Plus is under attack by sophisticated and stealthy APTs.
- The actors have figured a way to hide their activities while blending with the daily network traffic.
- Updating is the only way to mitigate the issue, but some may first need to find and uproot webshells.
The critical REST API authentication bypass the remote code execution flaw in the Zoho ManageEngine ADSelfService Plus version 6113 and older, which is tracked as "CVE-2021-40539" is under active exploitation by sophisticated APT actors. CISA has issued a joint advisory together with the FBI and the U.S. Coast Guard Cyber Command, highlighting the threat and urging all admins responsible for the deployment of the vulnerable component to upgrade to the latest available version. Zoho released a fixing update on September 6, 2021, with version 6114, but only ten days after that, many deployments remain unpatched.
As the report details, actors are exploiting CVE-2021-40539 to upload a ZIP file on the target endpoint. That file contains a JavaServer Pages (JSP) webshell masquerading as an x509 certificate, essentially opening the way to lateral movement on the network using WMI, accessing a domain controller, and dumping NTDS.dit and SECURITY/SYSTEM registry hives.
Although detecting the intrusion is hard because these hackers know how to clean the trace of the initial point of compromise and then hide their presence among regular daily activities, CISA has collected some evidence that goes as far back as early August 2021. The targets that APT actors focus on right now include defense contractors, academic institutions, and entities that support critical infrastructure like transportation, IT, logistics, communications, etc.
The TTPs (tactics, techniques, procedures) listed in the report are the following:
- Frequently writing webshells to disk for initial persistence
- Obfuscating and Deobfuscating/Decoding Files or Information
- Conducting further operations to dump user credentials
- Living off the land by only using signed Windows binaries for follow-on actions
- Adding/deleting user accounts as needed
- Stealing copies of the Active Directory database (NTDS.dit) or registry hives
- Using Windows Management Instrumentation (WMI) for remote execution
- Deleting files to remove indicators from the host
- Discovering domain accounts with the net Windows command
- Using Windows utilities to collect and archive files for exfiltration
- Using custom symmetric encryption for command and control (C2)
Sean Nikkel, a threat intelligence analyst at Digital Shadows, has shared the following comment with TechNadu:
The recently reported ManageEngine vulnerability is the fifth instance of similar, critical vulnerabilities from ManageEngine this year that allows either remote code execution or the ability to bypass security controls. Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers. Attackers can then take advantage of "blending in with the noise" of everyday system activity.
It's reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes. The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future.
Updating to Zoho ManageEngine ADSelfService Plus build 6114 is the best way to defend against these attacks. Still, since the fix came out after the first attacks were detected, admins are advised to scrutinize their networks for the aforementioned indicators (TTPs) to determine if they have already been compromised.