Threat Management, Identity

US warns APT groups ‘likely’ among groups exploiting flaw in Zoho password manager

A pedestrian walks by the headquarters of The Boeing Co. on Jan. 29, 2020, in Chicago. The Department of Homeland Security, FBI and NSA are warning about a two-year Russian campaign targeting defense contractors.  (Photo by Scott Olson/Getty Images)

The FBI, Cybersecurity and Infrastructure Security Agency and the U.S. Coast Guard are warning that hackers, including one or more advanced persistent threat group, are likely actively exploiting a vulnerability in a popular password manager and single-sign on application.

In a joint advisory, the agencies said the flaw, which affects Zoho ManageEngine ADSelfService, can bypass authentication protocols and lead to remote code execution. They warned that a wide range of targets and sectors who use the software are vulnerable.

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software,” the advisory notes. “Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”

Zoho released a patch on September 6 to close the flaw and said ADSelfService Plus builds up to 6113 are affected.

“This is a critical issue. We are noticing indications of this vulnerability being exploited,” a security advisory from the company warns.

The joint advisory from CISA, FBI and United States Coast Guard Cyber Command build on that, saying they “have reports of malicious cyber actors using exploits against CVE-2021-40539 to gain access [to ManageEngine ADSelfService Plus as early as August 2021.”

According to the agencies, the threat actors exploiting the flaw have been observed using a number of TTPs, including placing webshells to disk to maintain persistence, obfuscating and deobfuscating files, adding and deleting users and accounts, stealing copies of Active Directory databases, relying on signed Windows binary code, deleting or removing indicators of compromise, using custom symmetric encryption for command and control.

It’s not clear how widespread actual exploitation is versus potential exposure. Password managers are a popular way to create and use randomly generated passwords across a wide range of devices and apps without having to store or remember them. Single sign on solutions allow a user to pass credentials and other information between one system to another.

Security experts typically recommend password managers as a more secure option than developing one off passwords or reusing them across accounts, but they also centralize your passwords into a single app and create a single point of failure that, if compromised, can lead to far wider exploitation.

The agencies said they were “proactively investigating and responding” to the incident. The FBI is tapping its cyber units in all 56 field offices across the country as well as CyWatch, their operations center and watch floor to track incidents and share information. The Coast Guard Cyber Command has “deployable elements” to marine transportation system critical infrastructure. Finally, CISA is offering no-cost hygiene services to organizations in order to identify and close cybersecurity threats.

The three sectors listed in the joint advisory have all been subject to relentless attacks and probing from state-backed hacking groups. For years, U.S. officials have sounded the alarm over wide ranging campaigns targeting their defense industrial base. Last year FireEye revealed “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years” that impacted at least 75 customers, 20 different countries and 19 separate industries and sectors. Defense contractors were also targeted in that campaign, and flaws in Zoho’s ManageEngine Desktop Central were among three of the products exploited, along with Cisco routers and Citrix Netscaler ADC. While much of the focus and discussion in Washington revolves around China and economic espionage, hackers tied to the Russian and Iranian governments have also targeted defense companies and their employees.

The joint alert also lists multiple critical infrastructure sectors, including transportation, IT, manufacturing, communications, logistics and finance, as being targeted by the APT. In the wake of high profile ransomware attacks against meat producer JBS and oil and gas company Colonial Pipeline, the Biden administration has become heavily focused on protecting critical infrastructure from nation state hackers and cybercriminals. In July, the White House issued a National Security Memorandum tasking multiple agencies with a range of actions to shore up cybersecurity across multiple sectors, while President Biden reportedly gave Russian President Vladimir Putin a list of 16 critical infrastructure sectors the U.S. considers off limits for Russian government and ransomware actor.

Users can find the latest patch for ManageEngine ADSelfService here. The joint alert includes indicators of compromise. CISA also advises organizations to conduct domain-wide password resets and double Kerberos Ticket Granting Ticket resets.

Cybersecurity analysts in the private sector also pointed out areas of focus for IT defenders.

“While patching is important and especially so with such a high impact vulnerability, organizations should note the frequent use of web shells as a post-exploitation payload,” said Jake Williams, a former NSA hacker and chief technology officer and cofounder at BreachQuest. “In this case, threat actors have been observed using web shells that were disguised as certificates. This sort of activity should stand out in web server logs - but only if organizations have a plan for detection.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.