Threat Signal Report

Multiple Agency Announcement on APT Actors Exploiting Zoho ManageEngine ADSelfService Plus (AA21-259A)

Description

On September 16th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and United States Coast Guard Cyber Command (CGCYBER) released a new joint advisory titled - Alert (AA21-259A) APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus. Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to a REST API authentication bypass, which ultimately allows for remote code execution. The vulnerability has been assigned CVE-2021-40539.


What Are the Technical Details of the Vulnerability?

An authentication bypass vulnerability exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. Remote code execution is possible via affected REST API URL(s) that could allow for remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells within the victim environment. Once inside the victim environment, an adversary can conduct the following - Lateral movement, compromising administrator credentials, post exploitation, and exfiltrating registry hives and Active Directory files from a domain controller.


Is this Being Exploited in the Wild?

Yes. According to US-CERT, this is limited to targeted attacks by a sophisticated unnamed APT group.


What Verticals are Being Targeted?

According to the US-CERT alert, the following list of verticals have been observed to be targeted - academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors including transportation, IT, manufacturing, communications, logistics, and finance.


What is the CVSS score?

9.8 CRITICAL


Has the Vendor Issued a Patch?

Yes, patches were released on September 6th, 2021 by the vendor. Please refer to the APPENDIX "ADSelfService Plus 6114 Security Fix Release" for details.


What is the Status of Coverage?

Samples provided by US-CERT in this latest alert were not publicly available. IPS coverage feasibility is underway and this threat signal will be updated with relevant updates once they become available.


Any Mitigation and or Workarounds?

It is strongly recommended to update to ADSelfService Plus build 6114. This update is located on the vendor homepage "ADSelfService Plus 6114 Security Fix Release" within the APPENDIX. It is also highly suggested to keep all affected devices from being publicly accessible or being placed behind a physical security appliance/firewall, such as a FortiGate. For further mitigation and workarounds, please refer to the US-CERT Alert and the Zoho Advisory in the APPENDIX.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.