<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">FYSA<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><img width="602" height="154" style="width:6.2708in;height:1.6041in" id="Picture_x0020_1" src="cid:image001.png@01D7E096.2FAE3060"><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="color:#222222">On November 23, 2021, the U.S. Coast Guard Cyber Command (CGCYBER), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) published Joint Cybersecurity
Advisory (CSA) (Alert AA21-327A), “Threat Hunting Guide: Continued APT Exploitation of CVE- 2021-40539 in Zoho ManageEngine ADSelfService Plus.” This guide provides updates to
</span><span style="color:black"><a href="https://urldefense.com/v3/__https:/us-cert.cisa.gov/ncas/alerts/aa21-259a__;!!JNdenfMLDA!MP23Ho2n_GPKkfHV0p-vQ2FAbTi99E7Odjrg0ZPWaCGhwcYgI-EqV7_M-nfimQSWLD3I13KK_We2pg$">information on CVE-2021-40539 published in CSA
Alert AA21-259A</a></span><span style="color:#222222">. </span><span style="color:black"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="color:#222222">The federal government has experienced attackers exploiting the vulnerability. This active exploitation of an authentication bypass vulnerability poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors,
academic institutions, and other entities that use the ManageEngine software.</span><span style="color:black"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="color:#222222">Patching identified ManageEngine systems with </span>
<span style="color:black"><a href="https://urldefense.com/v3/__https:/pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release__;!!JNdenfMLDA!MP23Ho2n_GPKkfHV0p-vQ2FAbTi99E7Odjrg0ZPWaCGhwcYgI-EqV7_M-nfimQSWLD3I13Ktnge1JQ$">ADSelfService
Plus build 6114</a></span><u><span style="color:#1155CC"> </span></u><span style="color:#222222">does not remove the threat of a previous compromise. Attackers have been observed re-connecting to persistence mechanisms installed prior to the patch application.</span><span style="color:black"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="color:#222222">Detection actions are crucial.</span><span style="color:black"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="color:#222222">CISA strongly urges network defenders to implement the detection methods in the updated CSA to determine if their organization has been compromised by this activity.</span><span style="color:black"><o:p></o:p></span></p>
<p style="margin:0in"><i><span style="font-family:"Arial",sans-serif;color:black">Please contact CISA (via the reporting
</span></i><span style="color:black"><a href="https://urldefense.com/v3/__https:/us-cert.cisa.gov/report__;!!JNdenfMLDA!MP23Ho2n_GPKkfHV0p-vQ2FAbTi99E7Odjrg0ZPWaCGhwcYgI-EqV7_M-nfimQSWLD3I13K3RgGubg$"><i><span style="font-family:"Arial",sans-serif">portal</span></i></a></span><i><span style="font-family:"Arial",sans-serif;color:black">
or by phone at 1-888-282-0870) to report an intrusion or to request either technical assistance or additional resources for incident response. </span></i><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cyber Security Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_3" src="cid:image004.png@01D7E07F.6356CBA0"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>