[TheRecord] CISA warns of Zoho server zero-day exploited in the wild

The US Cybersecurity and Infrastructure Security Agency urged organizations today to apply the latest security update to their Zoho ManageEngine servers to patch a zero-day vulnerability that is currently being actively exploited in the wild for more than a week.

Tracked as CVE-2021-40539, the vulnerability impacts Zoho ManageEngine ADSelfService Plus, a password management and sign sign-on (SSO) solution from Indian company Zoho.

In a patch and security advisory published earlier today, Zoho described the zero-day as an authentication bypass that can be exploited via ADSelfService Plus REST API URLs and which could allow an attacker to execute malicious code on the underlying Zoho server.

“A remote attacker could exploit this vulnerability to take control of an affected system,” CISA said today.

Zero-day exploited before last week’s Confluence attacks

According to Matt Dahl, a Principal Intelligence Analyst at security firm CrowdStrike, the Zoho zero-day, while disclosed and patched today, has been under attack for more than a week, even before the attacks against Confluence servers that began last week.

In a series of tweets, Dahl described the attacks as targeted intrusions, most likely carried out by one threat actor.

“Actor(s) appeared to have a clear objective with ability to get in and get out quickly,” Dahl said.

ManageEngine Exploit (CVE-2021-40539)

* Limited use in targeted intrusion activity (Possibly a single actor, but unclear at this point)
* Actor(s) appeared to have a clear objective with ability to get in and get out quickly
* No known POC so exploit appears to be close-hold


— Matt Dahl (@voodoodahl1) September 8, 2021

No public exploit code or technical reports discussing the vulnerability are currently available, suggesting the threat actors discovered the bug on their own rather than weaponize public code.

How to detect exploitation

Companies and system administrators who’d like to investigate if their systems have been breached with this zero-day can follow the following steps, as laid out in the Zoho advisory linked above:

In ManageEngineADSelfService Pluslogs folder, search the access log entries for the strings listed below:
/RestAPI/LogonCustomization /RestAPI/Connection 
If you find any of these two entries in the logs, it means your installation has been affected.

At the time of writing, there are more than 11,000 Zoho ManageEngine servers accessible over the internet.

This is the second major Zoho ManageEngine zero-day that has been actively exploited in attacks. The first, CVE-2020-10189, was exploited by cryptominers, ransomware gangs, and APT groups, and, according to the NSA, was one of the most commonly exploited vulnerabilities of 2020 used to plant web shells on servers.

The post CISA warns of Zoho server zero-day exploited in the wild appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Cybersecurity jobs: This is what we’re getting wrong when hiring – and here’s how to fix it

All posts, ZDNet

From demanding qualifications that few people have to expecting years of experience in new disciplines, businesses are making mistakes when advertising jobs – and it’s leaving IT security teams understaffed and exhausted. Source: Read More (Latest topics for ZDNet in Security)

Read More

[BleepingComputer] Windows PetitPotam attacks can be blocked using new method

Security researchers have devised a way to block the recently disclosed PetitPotam attack vector that allows hackers to take control of a Windows domain controller easily. […] Source: Read More (BleepingComputer)

Read More

[SANS ISC] MGLNDD_* Scans, (Sun, Mar 20th)

All posts, Sans-ISC

Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*. Like MGLNDD_<IP_ADDRESS_OF_TARGET>  and MGLNDD_<IP_ADDRESS_OF_TARGET>_<TARGET_PORT>. I took a look at my server and honeypot logs, and I’m seeing this too. It started on March 1st, with TCP data like this: MGLNDD_<IP_ADDRESS_OF_TARGET>n Where <IP_ADDRESS_OF_TARGET> is the IPv4 address of my servers. And starting […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.