HomesecurityFBI and CISA: Hackers exploit a critical Zoho bug

FBI and CISA: Hackers exploit a critical Zoho bug

The FBI, CISA and the Coast Guard (CGCYBER) warned today that state-backed persistent threat (APT) groups have been exploiting a critical bug in a Zoho system since early August 2021.

See also: Patch Tuesday September 2021: Microsoft fixes critical bugs


Zoho's customer list includes "three in five Fortune 500 companies", including Apple, Intel, Nike, PayPal, HBO and many more.

The vulnerability identified as CVE-2021-40539 was found in the Zoho ManageEngine ADSelfService Plus software and allows attackers to "take over" vulnerable systems after a successful exploitation.

See also: Netgear: Fixes serious bugs in over twelve smart switches

The attacks also target critical infrastructure organizations

This advisory follows a previous warning issued by CISA last week, which warned of CVE-2021-40539 which could allow threatening operators to execute malicious code remotely in breached systems.

In cases where exploits CVE-2021-40539 have been used, attackers have been observed developing a web shell JavaServer Pages (JSP) camouflaged as an x509 certificate.

This web shell is then used for side-by-side navigation through Windows Management Instrumentation (WMI) to access domain controllers and reject NTDS.dit and SECURITY / SYSTEM registry hives.

So far, the APT teams behind these attacks have targeted a wide range of sectors from academia and defense contractors to vital players.

See also: Google app bug on Android creates call issue

Mitigation measures

Zoho released the Zoho ManageEngine ADSelfService Plus build 6114, which fixed vulnerability CVE-2021-40539 on September 6th.

In a subsequent security alert, the company added that it "observes signs of exploiting this vulnerability."

The FBI, CISA, and CGCYBER urge agencies to implement the ADSelfService Plus build 6114 update immediately and to ensure that ADSelfService Plus is not directly accessible from Internet.

Organizations that detect malware related to ManageEngineADSelfService Plus are advised to report it immediately to the CISA or the FBI.

Source of information:

Teo Ehc
Be the limited edition.