A joint effort by multiple US government agencies has discovered a security threat that exploits Zoho’s ManageEngine ADSelfService Plus, a self-service password management solution with a single sign-on solution. These agencies include the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER) and Cybersecurity and Infrastructure Security Agency (CISA). This task force has designated the vulnerability as CVE-2021-4053, which the Common Vulnerability Scoring System (CVSS) has rated as a critical threat.
CVE-2021-4053 bypasses the authentication in ADSelfService Plus, allowing it to affect this application’s representational state transfer (REST) application programming interface (API) URLs. This exploit could then allow advanced persistent threat (APT) actors to execute code on ADSelfService Plus. Successful use of this exploit would let these actors implement webshells, allowing them to conduct various activities such as compromising administrator credentials, performing lateral accesses to other systems, and exfiltrating Active Directory files and registry hives. As a result, CVE-2021-4053 poses a severe risk to any organizations using this software, which includes many defense contractors and academic institutions critical to the U.S. government’s IT infrastructure.
Investigation
The investigating task force first received reports that APT actors were exploiting CVE-2021-40539 as early as August 2021. These exploits attempted to gain access to ADSelfService Plus by using a technique designated as T1190. Actors have also used various other tactics, techniques, and procedures (TTPs) against CVE-2021-40539, including the frequent writing of webshells to obtain initial persistence for the attack. They have also conducted further operations to obtain user credentials, adding user accounts as needed to accomplish these goals.
Additional TTPs that actors have used against the Zoho bug include using Windows Management Instrumentation (WMI) to remotely execute code, using the net Windows command to discover domain accounts and deleting files to remove indications of the attack from the host. Actors have also used various Windows utilities to collect files and otherwise prepare them for exfiltration.
Response
Zoho released build 6114 of ADSelfService Plus on September 6, 2021, which patches CVE-2021-40539. All members of the task force are strongly urging administrators to update to this build while they continue their investigation and respond to attacks against this vulnerability. Organizations using ADSelfService Plus should also ensure this platform isn’t directly accessible via the internet.
The FBI has deployed units specifically trained to deal with CVE-2021-40539 in all of its 56 field offices. CyWatch, the FBI’s operations center, is providing 24/7 support for these units by tracking incidents and communicating field offices and partner agencies. CGCYBER has also deployed its own elements to provide cybersecurity capabilities to critical marine transportation systems in response to these attacks. In addition, CISA offers cyber hygiene services at no cost, helping organizations mitigate their exposure to threats like CVE-2021-40539.
Actors typically execute clean-up scripts that remove signs of the initial exploit of the Zoho vulnerability, making it difficult to confirm that an attack has occurred. These scripts also hide the relationship between the webshells and the exploits they perform, so that administrators are less likely to remove the webshells. Sharing information with taskforce organizations augments their capabilities in identifying these actors and holding them accountable.
IMG_4155 flickr photo by climberaj04 shared under a Creative Commons (BY) license