"U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day"

The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) warn of the exploitation of a recently disclosed vulnerability contained by Zoho's ManagementEngine ADSelfService Plus product. The critical vulnerability, tracked as CVE-2021-40539, has been exploited by malicious actors since August 2021 to execute code remotely and take over vulnerable systems. It is an authentication bypass bug affecting all ADSelfService Plus builds up to 6113. The vulnerability impacts the Representational State Transfer (REST) Application Programming Interface (API) URLs of the self-service password management and single sign-on solution. According to a joint advisory, the FBI, CISA, and CGCYBER have assessed that Advanced Persistent Threat (APT) cyber actors have likely exploited the vulnerability. Academic institutions, defense contractors, and critical infrastructures, such as communications, finance, IT, logistics, manufacturing, and transportation, are at risk of compromise because of their use of ADSelfService Plus. The exploitation of the vulnerability could allow an attacker to place webshells that can enable them to perform post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, exfiltrating Active Directory files, and more. This article continues to discuss the warning from the FBI, CISA, and CGCYBER about the exploitation of the critical Zoho bug by APTs.

Security Week reports "U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day"