[TheRecord] CISA warns of Zoho server zero-day exploited in the wild

The US Cybersecurity and Infrastructure Security Agency urged organizations today to apply the latest security update to their Zoho ManageEngine servers to patch a zero-day vulnerability that is currently being actively exploited in the wild for more than a week.

Tracked as CVE-2021-40539, the vulnerability impacts Zoho ManageEngine ADSelfService Plus, a password management and sign sign-on (SSO) solution from Indian company Zoho.

In a patch and security advisory published earlier today, Zoho described the zero-day as an authentication bypass that can be exploited via ADSelfService Plus REST API URLs and which could allow an attacker to execute malicious code on the underlying Zoho server.

“A remote attacker could exploit this vulnerability to take control of an affected system,” CISA said today.

Zero-day exploited before last week’s Confluence attacks

According to Matt Dahl, a Principal Intelligence Analyst at security firm CrowdStrike, the Zoho zero-day, while disclosed and patched today, has been under attack for more than a week, even before the attacks against Confluence servers that began last week.

In a series of tweets, Dahl described the attacks as targeted intrusions, most likely carried out by one threat actor.

“Actor(s) appeared to have a clear objective with ability to get in and get out quickly,” Dahl said.

ManageEngine Exploit (CVE-2021-40539)

* Limited use in targeted intrusion activity (Possibly a single actor, but unclear at this point)
* Actor(s) appeared to have a clear objective with ability to get in and get out quickly
* No known POC so exploit appears to be close-hold


— Matt Dahl (@voodoodahl1) September 8, 2021

No public exploit code or technical reports discussing the vulnerability are currently available, suggesting the threat actors discovered the bug on their own rather than weaponize public code.

How to detect exploitation

Companies and system administrators who’d like to investigate if their systems have been breached with this zero-day can follow the following steps, as laid out in the Zoho advisory linked above:

In ManageEngineADSelfService Pluslogs folder, search the access log entries for the strings listed below:
/RestAPI/LogonCustomization /RestAPI/Connection 
If you find any of these two entries in the logs, it means your installation has been affected.

At the time of writing, there are more than 11,000 Zoho ManageEngine servers accessible over the internet.

This is the second major Zoho ManageEngine zero-day that has been actively exploited in attacks. The first, CVE-2020-10189, was exploited by cryptominers, ransomware gangs, and APT groups, and, according to the NSA, was one of the most commonly exploited vulnerabilities of 2020 used to plant web shells on servers.

The post CISA warns of Zoho server zero-day exploited in the wild appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] How to Build an Incident-Response Plan, Before Security Disaster Strikes

All posts, ThreatPost

Joseph Carson, Chief Security Scientist at ThycoticCentrify, offers a 7-step practical IR checklist for ensuring a swift recovery from a cyberattack. Source: Read More (Threatpost)

Read More

[ZDNet] Healthcare orgs in California, Arizona send out breach letters for nearly 150,000 after SSNs accessed during ransomware attacks

All posts, ZDNet

LifeLong Medical Care and Queen Creek Medical Center were both hit with ransomware attacks over the past year. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ThreatPost] HolesWarm Malware Exploits Unpatched Windows, Linux Servers   

All posts, ThreatPost

The botnet cryptominer has already compromised 1,000-plus clouds since June. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.