The critical REST API authentication bypass the remote code execution flaw in the Zoho ManageEngine ADSelfService Plus version 6113 and older, which is tracked as "CVE-2021-40539" is under active exploitation by sophisticated APT actors. CISA has issued a joint advisory together with the FBI and the U.S. Coast Guard Cyber Command, highlighting the threat and urging all admins responsible for the deployment of the vulnerable component to upgrade to the latest available version. Zoho released a fixing update on September 6, 2021, with version 6114, but only ten days after that, many deployments remain unpatched.
As the report details, actors are exploiting CVE-2021-40539 to upload a ZIP file on the target endpoint. That file contains a JavaServer Pages (JSP) webshell masquerading as an x509 certificate, essentially opening the way to lateral movement on the network using WMI, accessing a domain controller, and dumping NTDS.dit and SECURITY/SYSTEM registry hives.
Although detecting the intrusion is hard because these hackers know how to clean the trace of the initial point of compromise and then hide their presence among regular daily activities, CISA has collected some evidence that goes as far back as early August 2021. The targets that APT actors focus on right now include defense contractors, academic institutions, and entities that support critical infrastructure like transportation, IT, logistics, communications, etc.
The TTPs (tactics, techniques, procedures) listed in the report are the following:
Sean Nikkel, a threat intelligence analyst at Digital Shadows, has shared the following comment with TechNadu:
Updating to Zoho ManageEngine ADSelfService Plus build 6114 is the best way to defend against these attacks. Still, since the fix came out after the first attacks were detected, admins are advised to scrutinize their networks for the aforementioned indicators (TTPs) to determine if they have already been compromised.