CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug

The newly identified bug in a Zoho single sign-on and password management tool has been under active attack since early August.

The FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) warned today that state-backed advanced persistent threat (APT) actors are likely among those who’ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month.

At issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution (RCE) and thus open the corporate doors to attackers who can run amok, with free rein across users’ Active Directory (AD) and cloud accounts.

The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise’s footprint, for both users and attackers alike.

Infosec Insiders Newsletter

Last Tuesday, Zoho issued a patchZoho ManageEngine ADSelfService Plus build 6114 – for the flaw, which is tracked as CVE-2021-40539 with a 9.8 severity rating. As the Cybersecurity and Infrastructure Security Agency (CISA) warned at the time, it was being actively exploited in the wild as a zero-day.

According to today’s joint advisory from the three government cybersecurity arms – FBI, CISA and CGCYBER – the exploits pose “a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.”

You can see why: Successful exploitation of a lynchpin piece of security like a SSO and password handler could lay out a welcome mat for adversaries. Specifically, as the advisory iterated, an adversary could use the vulnerability to pry open security defenses in order to compromise admin credentials, move laterally through the network, and exfiltrate registry hives and AD files.

That’s of concern to any business, but with Zoho, we’re talking about a security solution that’s used by critical infrastructure companies, U.S.-cleared defense contractors and academic institutions, among others.

The joint advisory said that APT groups have in fact targeted such entities in multiple industries, including transportation, IT, manufacturing, communications, logistics and finance.

“Illicitly obtained access and information may disrupt company operations and subvert U.S. research in multiple sectors,” the advisory noted. “Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”

Confirming Exploits May Be Tough

Successful attacks have been uploading a .zip file containing a JavaServer Pages (JSP) webshell – accessible at /help/admin-guide/Reports/ReportGenerate.jsp – pretending to be an x509 certificate, service.cer. Next come requests to different API endpoints to further exploit the targeted system.

The next step in the exploit is lateral movement using Windows Management Instrumentation (WMI), gaining access to a domain controller, dumping of NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, further compromised access.

“Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult,” the security agencies advised, given that the attackers are running clean-up scripts designed to rub out their tracks by removing traces of the initial point of compromise and by obscuring any relationship between the exploitation of CVE-2021-40539 and the webshell.

The advisory provided this laundry list of tactics, techniques and processes (TTP) being used by threat actors to exploit the vulnerability:

  • WMI for lateral movement and remote code execution (wmic.exe)
  • Using plaintext credentials acquired from compromised ADSelfService Plus host
  • Using pg_dump.exe to dump ManageEngine databases
  • Dumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives
  • Exfiltration through webshells
  • Post-exploitation activity conducted with compromised U.S. infrastructure
  • Deleting specific, filtered log lines

Mitigations

Organizations that detect indicators of compromise (IoC) around their ManageEngine ADSelfService Plus installations “should take action immediately,” the trio of agencies instructed.

“FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114,” the trio stated. They also strongly urged organizations to keep ADSelfService Plus away from direct access via the internet.

They’re also strongly recommending domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets “if any indication is found that the NTDS.dit file was compromised.”

This One Will Hurt

Jake Williams, co-founder and CTO at incident response firm BreachQuest, said that organizations should take note of the fact that threat actors have been using webshells as a post-exploitation payload. In the case of the exploitation of this Zoho flaw, they’re using webshells disguised as certificates: something that security teams should be able to pick up on in web server logs, but “only if organizations have a plan for detection.”

No time like the present to start, he told Threatpost on Thursday: “Given that this will certainly not be the last vulnerability that results in web shell deployment, organizations are advised to baseline normal behavior in their web server logs so they can quickly discover when a web shell has been deployed.”

Finding a critical vulnerability in the system intended to help your employees manage and reset their passwords is “exactly as bad as it sounds,” noted Oliver Tavakoli, CTO at cybersecurity firm Vectra. “Even if the ADSelfService Plus server was not accessible from the internet, it would be accessible from any compromised laptop. Recovery will be expensive – ‘domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets’ are certainly disruptive by themselves, and the APT groups may have established other means of persistence in the intervening time.”

This ManageEngine vulnerability is the fifth instance of similarly critical vulnerabilities from ManageEngine this year, noted Sean Nikkel, senior cyber threat intel analyst at digital risk protection provider Digital Shadows. Unfortunately but predictably, given how much access attackers can get out of exploiting a vulnerability like this, we can likely expert more widespread exploitation of this and previous bugs, “given the interactivity with Microsoft system processes.”

Nikkel continued with yet another gloomy prediction: “The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future,” he mused.

All of which points to what CISA et al. have been urging about these vulnerabilities: namely, patch fast. “Users of Zoho’s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin,” Nikkel said.

See Something, Say Something

Organizations should immediately report any of the following to CISA or the FBI:

  • Identification of IoC as outlined in the advisory.
  • Presence of webshell code on compromised ManageEngine ADSelfService Plus servers.
  • Unauthorized access to or use of accounts.
  • Evidence of lateral movement by malicious actors with access to compromised systems.
  • Other indicators of unauthorized access or compromise.

Here are the reporting instructions:

  • Contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, include the incident date, time and location; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
  • To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.
  • To report cyber incidents to the Coast Guard contact the USCG National Response Center (NRC). Phone: 1-800-424-8802, email: NRC@uscg.mil.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.

Suggested articles