Attackers exploit ZOHO ManageEngine ADSelfService Plus software

Attackers exploit ZOHO ManageEngine ADSelfService Plus software

Attackers have been exploiting vulnerable ZOHO ManageEngine ADSelfService Plus software as part of a targeted campaign.

Researchers from Microsoft and Palo Alto Networks detected exploits against a ManageEngine ADSelfService Plus vulnerability CVE-2021-40539.

Microsoft has attributed the campaign to Chinese-based DEV-0322 cybergang.

The Microsoft Threat Intelligence Center (MSTIC) team described the threat activity in a recent blog post:

“MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.”


In addition, Palo Alto Networks Unit 42 group further described how the threat actors targeted the self-service password management and single sign-on solution to compromise at least nine global organizations across multiple industries from September 22 through early October 2021.

Unit 42 described how those compromises led to the delivery of Godzilla Webshells, NGLite Trojan and KdcSponge Stealer malware:

Following initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell. This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite. The threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server. Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge.

Palo Alto Networks

These latest discoveries come after a previously released joint alert regarding similar threat was issued by the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) back in September, 2021.

According to that report, advanced persistent threat (APT) actors were identified exploiting the same vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus.

Once compromised, the attackers could then upload a .zip file containing a JavaServer Pages (JSP) webshell masquerading as an x509 certificate (service.cer). The APT actors then move on to further exploit victim’s systems via sending requests to different API endpoints.

Related Articles