The U.S. government is warning that APT actors are using several different tools in attacks that exploit the previously disclosed authentication bypass flaw in the Zoho ManageEngine ADSelfService Plus password management application, which is used extensively in enterprises and government agencies.
The flaw (CVE-2021-40539) was disclosed in September and at the time of the initial publication, attackers were already exploiting it. Successful exploitation allows an attacker to bypass authentication and upload an arbitrary file and eventually achieve remote code execution.
“This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks resulting in RCE,” the Zoho advisory says.
On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) said that its specialists have seen APT actors using four individual tools, including a backdoor and a special piece of malware designed to steal credentials from Microsoft’s implementation of the Kerberos protocol. The tools have been used in attacks by an APT actor that is separate from the one that was running the initial attacks against the vulnerability in September. Researchers noticed a separate campaign begin immediately following the initial disclosure, and the attacks were successful in compromising several large companies in technology, defense, and other industries.
“The FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity."
“Following initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell. This activity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who subsequently received a modified version of a new backdoor called NGLite,” researchers from Palo Alto Networks Unit 42 said in a post on the activity.
“The threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server. Once the actors pivoted to a domain controller, they installed a new credential-stealing tool that we track as KdcSponge.”
The KdcSponge tool is specifically designed to target domain controllers and steal credentials by injecting itself into the LSASS process and collecting usernames and passwords. Two of the other tools, Godzilla and NGLite, are Chinese-language tools and are publicly available.
ManageEngine, which is a division of Zoho, released a fixed version of ADSelfService Plus in September, and also has released a tool to detect exploitation of the vulnerability. CISA officials said that while attackers are using the ManageEngine flaw for initial access, it may not be the only vulnerability they’re using,
“The FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector,” the CISA advisory says.