9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise for referenced threat actor tactics and for techniques.
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution.
CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes CVE-2021-40539. FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations ensure ADSelfService Plus is not directly accessible from the internet.
The FBI, CISA, and CGCYBER have reports of malicious cyber actors using exploits against CVE-2021-40539 to gain access [T1190] to ManageEngine ADSelfService Plus, as early as August 2021. The actors have been observed using various tactics, techniques, and procedures (TTPs), including:
NTDS.dit
) [T1003.003] or registry hivesnet
Windows command [1087.002]The FBI, CISA, and CGCYBER are proactively investigating and responding to this malicious cyber activity.
Sharing technical and/or qualitative information with the FBI, CISA, and CGCYBER helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask and hold accountable, those conducting malicious cyber activities. See the Contact section below for details.
Click here for a PDF version of this report.
Click here for indicators of compromise (IOCs) in STIX format.
Successful compromise of ManageEngine ADSelfService Plus, via exploitation of CVE-2021-40539, allows the attacker to upload a .zip
file containing a JavaServer Pages (JSP) webshell masquerading as an x509 certificate: service.cer
. Subsequent requests are then made to different API endpoints to further exploit the victim’s system.
After the initial exploitation, the JSP webshell is accessible at /help/admin-guide/Reports/ReportGenerate.jsp
. The attacker then attempts to move laterally using Windows Management Instrumentation (WMI), gain access to a domain controller, dump NTDS.dit
and SECURITY/SYSTEM
registry hives, and then, from there, continues the compromised access.
Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell.
(Updated November 19, 2021): APT actors are using the following suite of tools to enable this campaign:
The FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector. For more information, see:
Note: The FBI, CISA, and CGCYBER do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, and CGCYBER. This document does not change any legal requirements or impose new requirements on the public.
APT cyber actors have targeted entities across the 16 critical infrastructure sectors, including academic institutions, defense contractors as well as transportation, information technology, manufacturing, communications, and finance. Illicitly obtained access and information may disrupt company operations/logistics and subvert U.S. research across critical infrastructure sectors.
Hashes:
`068d1b3813489e41116867729504c40019ff2b1fe32aab4716d429780e666324
49a6f77d380512b274baff4f78783f54cb962e2a8a5e238a453058a351fcfbba`
File paths:
`C:\ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports\ReportGenerate.jsp
C:\ManageEngine\ADSelfService Plus\webapps\adssp\html\promotion\adap.jsp
C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\help
C:\ManageEngine\ADSelfService Plus\jre\bin\SelfSe~1.key (filename varies with an epoch timestamp of creation, extension may vary as well)
C:\ManageEngine\ADSelfService Plus\webapps\adssp\Certificates\SelfService.csr
C:\ManageEngine\ADSelfService Plus\bin\service.cer
C:\Users\Public\custom.txt
C:\Users\Public\custom.bat
C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\help (including subdirectories and contained files)`
Webshell URL Paths:
/help/admin-guide/Reports/ReportGenerate.jsp
/html/promotion/adap.jsp
Check log files located at C:\ManageEngine\ADSelfService Plus\logs
for evidence of successful exploitation of the ADSelfService Plus vulnerability:
/help/admin-guide/Reports/ReportGenerate.jsp
/ServletApi/../RestApi/LogonCustomization
/ServletApi/../RestAPI/Connection
Keystore will be created for "admin"
The status of keystore creation is Upload!
Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig
TTPs:
wmic.exe
)pg_dump.exe
to dump ManageEngine databasesNTDS.dit
andSECURITY/SYSTEM/NTUSER
registry hivesYara Rules:
rule ReportGenerate_jsp {
strings:
$s1 = “decrypt(fpath)”
$s2 = “decrypt(fcontext)”
$s3 = “decrypt(commandEnc)”
$s4 = “upload failed!”
$s5 = “sevck”
$s6 = “newid”
condition:
filesize < 15KB and 4 of them
}
rule EncryptJSP {
strings:
$s1 = “AEScrypt”
$s2 = “AES/CBC/PKCS5Padding”
$s3 = “SecretKeySpec”
$s4 = “FileOutputStream”
$s5 = “getParameter”
$s6 = “new ProcessBuilder”
$s7 = “new BufferedReader”
$s8 = “readLine()”
condition:
filesize < 15KB and 6 of them
}
Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately.
Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes CVE-2021-40539. FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations ensure ADSelfService Plus is not directly accessible from the internet.
Additionally, FBI, CISA, and CGCYBER strongly recommend domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the NTDS.dit
file was compromised.
Immediately report as an incident to CISA or the FBI (refer to Contact Information section below) the existence of any of the following:
Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.
For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:
September 16, 2021: Initial Version|November 19, 2021: Updated to include tools used to enable attack campaign|November 22, 2021: Updated Palo Alto reference to Palo Alto Networks
attack.mitre.org/techniques/T1003/
attack.mitre.org/techniques/T1003/003/
attack.mitre.org/techniques/T1027/
attack.mitre.org/techniques/T1047
attack.mitre.org/techniques/T1070/004/
attack.mitre.org/techniques/T1087/002/
attack.mitre.org/techniques/T1136/
attack.mitre.org/techniques/T1140/
attack.mitre.org/techniques/T1190/
attack.mitre.org/techniques/T1218/
attack.mitre.org/techniques/T1505/003/
attack.mitre.org/techniques/T1560/001/
attack.mitre.org/techniques/T1573/001/
attack.mitre.org/versions/v9/techniques/enterprise/
pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release
pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
securityintelligence.com/posts/zero-day-discovered-enterprise-help-desk/
twitter.com/CISAgov
twitter.com/intent/tweet?text=APT%20Actors%20Exploiting%20Newly%20Identified%20Vulnerability%20in%20ManageEngine%20ADSelfService%20Plus+https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a
unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
us-cert.cisa.gov/report
www.cisa.gov/cyber-hygiene-services
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a&title=APT%20Actors%20Exploiting%20Newly%20Identified%20Vulnerability%20in%20ManageEngine%20ADSelfService%20Plus
www.fbi.gov/contact-us/field-offices
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a
www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=APT%20Actors%20Exploiting%20Newly%20Identified%20Vulnerability%20in%20ManageEngine%20ADSelfService%20Plus&body=www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%