FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw

The FBI, CISA, and the Coast Guard Command (CGCYBER) recently alerted that state-backed advanced persistent threat (APT) groups are currently exploiting a sensitive bug in a Zoho single sign-on and credentials management solution since early August 2021.

Zoho’s users’ list includes “three out of five Fortune 500 companies,” including Apple, Intel, Nike, PayPal, HBO, and many more.

The vulnerability tracked as CVE-2021-40539 was discovered in the Zoho ManageEngine ADSelfService Plus software, and it permits the attackers to take over vulnerable systems following successful exploitation.

Attack also Target Critical Infrastructure Orgs

This joint security advisory permit previous warnings issues by CISA last week, also warning of CVE-2021-40539 in the wild attacks that could permit the threat actor to run the malicious code remotely on negotiated systems.

“The exploitation of ManageEngine ADSelfService Plus poses a serious risk to sensitive infrastructure companies, U.S. –cleared defenses contractors, academic institutions, and other entities that utilizes the software,” the joint advisory alerts.

“Successful exploitation of the vulnerability permits a threat actors to place webshells, which enables the adversary to conduct adjacent movements, and exfiltrating registry hives and Active Directory files.”


In the incidents where CVE-2021-40539 exploits have been utilized, threat actors have been observed setting up a JavaServer Pages (JSP) web shell camouflaged as an X509 certificate. This web shell is afterward utilized for lateral movement through Windows Management Instrumentations (WMI) to access domain controllers and dump NDTS.dit and SECURITY/SYSTEM registry hives.

Moreover, APT gangs behind these attacks have targeted a considerable array of sectors from academic institutions and defense contractors to the sensitive frameworks entities (e.g.., transportation, IT, producing, transmissions, logistics, and economics.)       

What are the Mitigation Measures?

Zoho has released Zoho ManageEngine ADSelfServuce Plus build 6114, which patches the CVE-2021-40539 vulnerability on 6th September.

In a subsequent security warning, the organizations added that it is “noticing indication of this vulnerability being exploited” in the wild. FBI, CISA, and CGCYBER urge the organizations to urgently apply the ADSelfService Plus build 6114 updates and assure the ADSelfService Plus is not directly accessible from the Internet.

“Moreover, FBI, CISA, and CGCYBER strongly recommended domain-wide credentials resets and double Kerberos Ticket Granting Ticket (TGT) credentials resets if any signs is discover that the NTDS.dit file was negotiated,” the agency stated.

Organizations that analyze malicious activity associated with ManageEngineADSelfService Plus indicators of negotiations are suggested to quickly report it as an incident to CISA or the FBI.              

Leave a Reply