[CDP-development] TLP AMBER Threat Hunting Guide: Continued APT Exploitation of CVE- 2021-40539 in Zoho ManageEngine ADSelfService Plus
MASSE, THERESA
theresa.masse at cisa.dhs.gov
Tue Nov 23 15:34:00 PST 2021
FYSA
[cid:image001.png at 01D7E096.2FAE3060]
On November 23, 2021, the U.S. Coast Guard Cyber Command (CGCYBER), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) published Joint Cybersecurity Advisory (CSA) (Alert AA21-327A), "Threat Hunting Guide: Continued APT Exploitation of CVE- 2021-40539 in Zoho ManageEngine ADSelfService Plus." This guide provides updates to information on CVE-2021-40539 published in CSA Alert AA21-259A<https://urldefense.com/v3/__https:/us-cert.cisa.gov/ncas/alerts/aa21-259a__;!!JNdenfMLDA!MP23Ho2n_GPKkfHV0p-vQ2FAbTi99E7Odjrg0ZPWaCGhwcYgI-EqV7_M-nfimQSWLD3I13KK_We2pg$>.
The federal government has experienced attackers exploiting the vulnerability. This active exploitation of an authentication bypass vulnerability poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the ManageEngine software.
Patching identified ManageEngine systems with ADSelfService Plus build 6114<https://urldefense.com/v3/__https:/pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release__;!!JNdenfMLDA!MP23Ho2n_GPKkfHV0p-vQ2FAbTi99E7Odjrg0ZPWaCGhwcYgI-EqV7_M-nfimQSWLD3I13Ktnge1JQ$> does not remove the threat of a previous compromise. Attackers have been observed re-connecting to persistence mechanisms installed prior to the patch application.
Detection actions are crucial.
CISA strongly urges network defenders to implement the detection methods in the updated CSA to determine if their organization has been compromised by this activity.
Please contact CISA (via the reporting portal<https://urldefense.com/v3/__https:/us-cert.cisa.gov/report__;!!JNdenfMLDA!MP23Ho2n_GPKkfHV0p-vQ2FAbTi99E7Odjrg0ZPWaCGhwcYgI-EqV7_M-nfimQSWLD3I13K3RgGubg$> or by phone at 1-888-282-0870) to report an intrusion or to request either technical assistance or additional resources for incident response.
Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>
[cid:image004.png at 01D7E07F.6356CBA0]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20211123/195b9822/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 61053 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20211123/195b9822/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 16152 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20211123/195b9822/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TAB_A1_Threat_Hunting_Guide_Zoho_AA21-327A_22Nov.pdf
Type: application/pdf
Size: 1358050 bytes
Desc: TAB_A1_Threat_Hunting_Guide_Zoho_AA21-327A_22Nov.pdf
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20211123/195b9822/attachment-0001.pdf>
More information about the CDP-development
mailing list