{"id":3180,"date":"2021-09-17T13:32:34","date_gmt":"2021-09-17T08:02:34","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3180"},"modified":"2021-09-17T13:32:35","modified_gmt":"2021-09-17T08:02:35","slug":"fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/","title":{"rendered":"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw"},"content":{"rendered":"\n

The FBI, CISA, and the Coast Guard Command (CGCYBER) recently alerted that state-backed advanced persistent threat (APT) groups are currently exploiting a sensitive bug in a Zoho single sign-on and credentials management solution since early August 2021.<\/p><\/p>\n\n\n\n

Zoho\u2019s users’ list includes \u201cthree out of five Fortune 500 companies,\u201d including Apple, Intel, Nike, PayPal, HBO, and many more.<\/p><\/p>\n\n\n\n

The vulnerability tracked as CVE-2021-40539 was discovered in the Zoho ManageEngine ADSelfService Plus software, and it permits the attackers to take over vulnerable systems following successful exploitation.<\/p><\/p>\n\n\n\n

Attack also Target Critical Infrastructure Orgs<\/strong><\/h2>\n\n\n\n

This joint security advisory permit previous warnings issues by CISA last week, also warning of CVE-2021-40539 in the wild attacks that could permit the threat actor to run the malicious code remotely on negotiated systems.<\/p><\/p>\n\n\n\n

\u201cThe exploitation of ManageEngine ADSelfService Plus poses a serious risk to sensitive infrastructure companies, U.S. \u2013cleared defenses contractors, academic institutions, and other entities that utilizes the software,\u201d the joint advisory alerts.<\/p><\/p>\n\n\n\n

\u201cSuccessful exploitation of the vulnerability permits a threat actors to place webshells, which enables the adversary to conduct adjacent movements, and exfiltrating registry hives and Active Directory files.\u201d<\/p><\/p>\n\n\n\n

\"FBI-and-CISA-alert-of-state-Hackers-Exploiting-Critical-Zoho-Flaw-image1\"<\/figure><\/div>\n\n\n\n

In the incidents where CVE-2021-40539 exploits have been utilized, threat actors have been observed setting up a JavaServer Pages (JSP) web shell camouflaged as an X509 certificate. This web shell is afterward utilized for lateral movement through Windows Management Instrumentations (WMI) to access domain controllers and dump NDTS.dit and SECURITY\/SYSTEM registry hives.<\/p><\/p>\n\n\n\n

Moreover, APT gangs behind these attacks have targeted a considerable array of sectors from academic institutions and defense contractors to the sensitive frameworks entities (e.g.., transportation, IT, producing, transmissions, logistics, and economics.)       <\/p><\/p>\n\n\n\n

What are the Mitigation Measures?<\/strong><\/h2>\n\n\n\n

Zoho has released Zoho ManageEngine ADSelfServuce Plus build 6114, which patches the CVE-2021-40539 vulnerability on 6th September.<\/p><\/p>\n\n\n\n

In a subsequent security warning, the organizations added that it is \u201cnoticing indication of this vulnerability being exploited\u201d in the wild. FBI, CISA, and CGCYBER urge the organizations to urgently apply the ADSelfService Plus build 6114 updates and assure the ADSelfService Plus is not directly accessible from the Internet.<\/p><\/p>\n\n\n\n

\u201cMoreover, FBI, CISA, and CGCYBER strongly recommended domain-wide credentials resets and double Kerberos Ticket Granting Ticket (TGT) credentials resets if any signs is discover that the NTDS.dit file was negotiated,\u201d the agency stated.<\/p><\/p>\n\n\n\n

Organizations that analyze malicious activity associated with ManageEngineADSelfService Plus indicators of negotiations are suggested to quickly report it as an incident to CISA or the FBI.              <\/p><\/p>\n","protected":false},"excerpt":{"rendered":"

The FBI, CISA, and the Coast Guard Command (CGCYBER) recently alerted that state-backed advanced persistent threat (APT) groups are currently exploiting a sensitive bug in a Zoho single sign-on and credentials management solution since early August 2021. Zoho\u2019s users’ list includes \u201cthree out of five Fortune 500 companies,\u201d including Apple, Intel, Nike, PayPal, HBO, and […]<\/p>\n","protected":false},"author":2,"featured_media":3183,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\nFBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"The FBI, CISA, and the Coast Guard Command (CGCYBER) recently alerted that state-backed advanced persistent threat (APT) groups are currently exploiting a sensitive bug in a Zoho single sign-on and credentials management solution since early August 2021. Zoho\u2019s users’ list includes \u201cthree out of five Fortune 500 companies,\u201d including Apple, Intel, Nike, PayPal, HBO, and […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-17T08:02:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-17T08:02:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/FBI-and-CISA-alert-of-state-Hackers-Exploiting-Critical-Zoho-Flaw-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw\",\"datePublished\":\"2021-09-17T08:02:34+00:00\",\"dateModified\":\"2021-09-17T08:02:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/\"},\"wordCount\":427,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/\",\"url\":\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/\",\"name\":\"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-09-17T08:02:34+00:00\",\"dateModified\":\"2021-09-17T08:02:35+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/","og_locale":"en_US","og_type":"article","og_title":"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw - Xiarch Solutions Private Limited","og_description":"The FBI, CISA, and the Coast Guard Command (CGCYBER) recently alerted that state-backed advanced persistent threat (APT) groups are currently exploiting a sensitive bug in a Zoho single sign-on and credentials management solution since early August 2021. Zoho\u2019s users’ list includes \u201cthree out of five Fortune 500 companies,\u201d including Apple, Intel, Nike, PayPal, HBO, and […]","og_url":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-09-17T08:02:34+00:00","article_modified_time":"2021-09-17T08:02:35+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/FBI-and-CISA-alert-of-state-Hackers-Exploiting-Critical-Zoho-Flaw-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw","datePublished":"2021-09-17T08:02:34+00:00","dateModified":"2021-09-17T08:02:35+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/"},"wordCount":427,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/","url":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/","name":"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-09-17T08:02:34+00:00","dateModified":"2021-09-17T08:02:35+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/fbi-and-cisa-alert-of-state-hackers-exploiting-critical-zoho-flaw\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"FBI and CISA alert of state Hackers Exploiting Critical Zoho Flaw"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3180"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3180"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3180\/revisions"}],"predecessor-version":[{"id":3185,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3180\/revisions\/3185"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3183"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}