[BreachExchange] FBI, CISA, CGCYBER Warn of APTs Targeting CVE-2021-40539

[Sophia Kingsbury]

https://www.darkreading.com/threat-intelligence/fbi-cisa-cgcyber-warn-of-apts-targeting-cve-2021-40539

Advanced persistent threat attackers are exploiting a newly identified
vulnerability in Zoho ManageEngine ADSelfService Plus, according to a joint
advisory from the FBI, the United States Coast Guard Cyber Command
(CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA).

CVE-2021-40539 is a critical authentication bypass vulnerability in the
software, which is a self-service password management and single sign-on
tool. The FBI, CISA, and CGCYBER have reports of attackers using exploits
against the vulnerability to gain access to the tool as early as August
2021.

If successfully exploited, the vulnerability could allow attackers to place
Web shells that could enable attackers to conduct post-exploitation
activities such as admin credential compromise, lateral movement, and
exfiltration of registry hives and Active Directory files, officials report.

"The exploitation of ManageEngine ADSelfService Plus poses a serious risk
to critical infrastructure companies, U.S.-cleared defense contractors,
academic institutions, and other entities that use the software," officials
write in an alert. They say the FBI, CISA, and CGCYBER are "proactively
investigating and responding to" the attack activity.

Zoho patched the vulnerability on Sept. 6, 2021. Officials urge
organizations to update to ADSelfService Plus build 6114 and ensure
ADSelfService Plus is not directly accessible from the Internet.

Read CISA's full alert for more information on tactics, techniques, and
procedures as well as technical details.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210917/5fde89af/attachment.html>