17 September 2021

State-backed hackers actively exploiting recently disclosed Zoho RCE bug


State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint alert warning that state-sponsored advanced persistent threat (APT) groups are actively exploiting a recently patched vulnerability in Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

The vulnerability (CVE-2021-40539) exists due to improper access restrictions to the "/RestAPI/LogonCustomization" and "/RestAPI/Connection" REST API endpoints. It allows a remote non-authenticated attacker execute arbitrary code on the system by sending malicious HTTP requests to the aforementioned REST API endpoints. The bug was patched on September 6 with the release of Zoho ManageEngine ADSelfService Plus build 6114.

According to the security agencies, APTs have been exploiting this flaw as part of their attacks since August 2021. The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities in transportation, IT, manufacturing, communications, logistics, and finance sectors.

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the joint alert said.

The agencies’ advisory also includes the technical details of attacks and Indicators of Compromise (IoCs) associated with them.


Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021