According to a joint advisory released by multiple agencies, state-backed advanced persistent threat (APT) groups are likely among those exploiting a critical flaw in a Zoho single sign-on and password management solution since early August 2021. 

The joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—self-service password management and single sign-on solution.

CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution.

The FBI, CISA and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a severe risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.

Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response, explains, "While patching is important (and especially so with such a high impact vulnerability), organizations should note the frequent use of web shells as a post-exploitation payload. In this case, threat actors have been observed using web shells that were disguised as certificates. Thissort of activity should stand out in web server logs - but only if organizations have a plan for detection. Given that this will certainly not be the last vulnerability that results in web shell deployment, organizations are advised to baseline normal behavior in their web server logs so they can quickly discover when a web shell has been deployed."

The FBI, CISA and CGCYBER have reports of malicious cyber actors using exploits against CVE-2021-40539 to gain access [T1190] to ManageEngine ADSelfService Plus as early as August 2021. The actors have been observed using various tactics, techniques, and procedures (TTPs), including:

  • Frequently writing webshells [T1505.003] to disk for initial persistence
  • Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140]
  • Conducting further operations to dump user credentials [T1003]
  • Living off the land by only using signed Windows binaries for follow-on actions [T1218]
  • Adding/deleting user accounts as needed [T1136]
  • Stealing copies of the Active Directory database (NTDS.dit) [T1003.003] or registry hives
  • Using Windows Management Instrumentation (WMI) for remote execution [T1047]
  • Deleting files to remove indicators from the host [T1070.004]
  • Discovering domain accounts with the net Windows command [1087.002]
  • Using Windows utilities to collect and archive files for exfiltration [T1560.001]
  • Using custom symmetric encryption for command and control (C2) [T1573.001]

Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "The recently reported ManageEngine vulnerability is the fifth instance of similar, critical vulnerabilities from ManageEngine this year. Notably, these vulnerabilities are severe in that they allow either remote code execution or the ability to bypass security controls. Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers or other services. Attackers can then take advantage of "blending in with the noise" of everyday system activity. It's reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes. The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future. Users of Zoho's software should apply patches immediately to avoid the types of compromise described in the CISA bulletin."

Considering the amount of access and control these tools have, IT security teams must take immediate steps to remediate fully, says Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation. Bar-Dayan adds, "Zoho has a patch, but it is just a patch for one vulnerable component of what is a multi-layered, advanced persistent threat. Apply the patch, but also make sure to eliminate direct access to ManageEngine software from the Internet where possible. If APT groups get access to systems management tools, they get the keys to the kingdom. Move quickly."

The FBI, CISA, and CGCYBER are proactively investigating and responding to this malicious cyber activity. The FBI, for instance, is leveraging specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI's 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies.

CISA also offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats. Organizations of any size could find ways to reduce their risk and mitigate attack vectors by requesting these services.

CGCYBER has deployable elements that provide cyber capability to marine transportation system critical infrastructure in proactive defense or response to incidents.