Zoho bug exploited by state-backed APTs according to the FBI and CISA

A joint report on Thursday warned that APT actors are using a critical vulnerability in Zoho ManageEngine ADSelfService Plus to grant access to corporations’ active directories and cloud accounts. The recently identified bug in Zoho’s password management tool has been used by threat actors including state-funded advanced persistent threats (APTs) since early last month.   

Zoho ManageEngine ADSelfService Plus is a password management system and single sign-on tool for use with active directories and cloud accounts. The vulnerability, identified as CVE-2021-40539, allows for threat actors to access the cloud accounts and active directories of targeted organisations. 

The joint report by the FBI, CISA, and Coast Guard Cyber Command (CGCYBER) warns that many critical infrastructure sectors in the US have been targeted by APTs, and are at risk due to this vulnerability. Corporate customers of Zoho include large businesses such as Apple, PayPal, and Nike.  

Attacks on Critical Infrastructure 

The report details that APTs are targeting academic institutions, defence contractors, and “critical infrastructure entities.” Amongst the infrastructure entities targeted are transportation, IT, logistics, and finance.  

The report states: 

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.” 

The joint advisory details that, once exploited, attackers can perform a number of post-exploitation activities by placing webshells. These post-exploitation activities include “compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. 

Mitigation Procedures 

This CISA report follows a security notification Zoho released last week which detailed the effects of CVE-2021-40539, as outlined steps affected businesses should take. Zoho stated CVE-2021-40539 was a critical issue, and that they were “noticing indications of this vulnerability being exploited.” 

Zoho released a patch for ManageEngine ADSelfService Plus which patched the vulnerability on September 6. 

The CISA joint report released on Thursday stressed that they recommend users and administrators update their versions of ADSelfService Plus. It was also recommended that organisations ensure ADSelfService Plus is not accessible from the internet directly, and encouraged “domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets” should an organisation find evidence of compromise. 

The report urges organisations to report to the CISA or FBI should they find existence of any of the following: 

• Identification of indicators of compromise as outlined above. 
• Presence of webshell code on compromised ManageEngine ADSelfService Plus servers. 
• Unauthorized access to or use of accounts. 
• Evidence of lateral movement by malicious actors with access to compromised systems. 
• Other indicators of unauthorized access or compromise.