CISA: Patch Zoho Bug Being Exploited by APT Groups

The US government is urging organizations to patch a newly identified Zoho vulnerability since state-sponsored attackers are actively exploiting it.

CVE-2021-40539 is a critical authentication bypass vulnerability affecting REST-based API URLs which could enable remote code execution if exploited, according to the Cybersecurity and Infrastructure Security Agency (CISA).

It affects ManageEngine ADSelfService Plus — a self-service password management and single sign-on solution from the online productivity vendor.

Zoho released a patch for this bug on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August, using various tools and techniques.

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software,” it warned.

“Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”

CISA claimed that threat actors might be looking for “US research” in multiple sectors.

Sean Nikkel, a senior cyber threat intel analyst at Digital Shadows, claimed that this is the fifth critical bug to be found in ManageEngine this year.

“Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers or other services. Attackers can then take advantage of ‘blending in with the noise’ of everyday system activity. It’s reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes,” he argued.

“The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future. Users of Zoho’s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin.”

What’s Hot on Infosecurity Magazine?