CISA Warns About APT Actors Targeting Zoho ManageEngine ADSelfService Plus Flaw

By Bill Toulas / September 17, 2021

The critical REST API authentication bypass the remote code execution flaw in the Zoho ManageEngine ADSelfService Plus version 6113 and older, which is tracked as "CVE-2021-40539" is under active exploitation by sophisticated APT actors. CISA has issued a joint advisory together with the FBI and the U.S. Coast Guard Cyber Command, highlighting the threat and urging all admins responsible for the deployment of the vulnerable component to upgrade to the latest available version. Zoho released a fixing update on September 6, 2021, with version 6114, but only ten days after that, many deployments remain unpatched.

As the report details, actors are exploiting CVE-2021-40539 to upload a ZIP file on the target endpoint. That file contains a JavaServer Pages (JSP) webshell masquerading as an x509 certificate, essentially opening the way to lateral movement on the network using WMI, accessing a domain controller, and dumping NTDS.dit and SECURITY/SYSTEM registry hives.

Although detecting the intrusion is hard because these hackers know how to clean the trace of the initial point of compromise and then hide their presence among regular daily activities, CISA has collected some evidence that goes as far back as early August 2021. The targets that APT actors focus on right now include defense contractors, academic institutions, and entities that support critical infrastructure like transportation, IT, logistics, communications, etc.

The TTPs (tactics, techniques, procedures) listed in the report are the following:

Sean Nikkel, a threat intelligence analyst at Digital Shadows, has shared the following comment with TechNadu:

The recently reported ManageEngine vulnerability is the fifth instance of similar, critical vulnerabilities from ManageEngine this year that allows either remote code execution or the ability to bypass security controls. Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers. Attackers can then take advantage of "blending in with the noise" of everyday system activity.

It's reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes. The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future.

Updating to Zoho ManageEngine ADSelfService Plus build 6114 is the best way to defend against these attacks. Still, since the fix came out after the first attacks were detected, admins are advised to scrutinize their networks for the aforementioned indicators (TTPs) to determine if they have already been compromised.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari