Zoho ManageEngine Flaw Highlights Risks of Race to Patch

Attackers used a pre-auth vulnerability in a component of the enterprise management software suite to compromise businesses, highlighting the dangers of Internet-facing software.

A vulnerability in a self-service password management and single sign-on solution used by 11,000 companies has led to network compromises in at least nine organizations across the globe, underscoring the risks of failing to quickly patch Internet-connected infrastructure.
Since mid-September, a group of cyberattackers has scanned the Internet for potentially vulnerable servers running Zohos ManageEngine ADSelfService Plus password reset management program, after the software developer and cloud service provider patched an authentication-bypass vulnerability on Sept. 6. Once the attackers successfully compromised the vulnerability, they installed two or three other attack tools to retain persistent access on the network and gather credentials from the Active Directory server, researchers at Palo Alto Networks stated in an analysis posted on Nov. 7.
Any company that uses Zoho ManageEngine ADSelfService Plus should check to make sure that no evidence of a compromise exists, says Ryan Olson, vice president of threat intelligence for Palo Alto Networks Unit 42 threat intelligence team.
If you were compromised to that level and then you just patched the vulnerability, they are already stealing all the passwords off your Active Directory server, he says. You may think you cleaned it up, but you are still thoroughly owned, so if you identify any of the [indicators of compromise] in our report, you need to do a full [incident response.
The attack targeting the Zoho ManageEngine vulnerabilities is just the latest attack that relied on exploiting an Internet-facing vulnerability.
For the past three years, attackers have
focused on vulnerabilities in Internet-facing virtual private networking (VPN) appliances and software
as their launching point for attacks. In March, Chinese threat groups focused on
four security issues in Microsofts Exchange Server 2000 to breach company networks
. And in July,
Russian and Ukrainian cybercriminals
used a zero-day vulnerability in Kaseya Virtual System Administrator (VSA) servers to compromise dozens of companies, including managed service providers,
leading to the compromise of as many as 1,500 organizations
.
The trend has underscored the danger of not staying on top of patching for these Internet-facing systems, especially as remote work has expanded during the coronavirus pandemic, pushing more infrastructure into the cloud, where it can be accessed over the public Internet, Olson says.
When an attackers identify a new vulnerability, and they can exploit it, and people are not patching, they start scanning to find vulnerable systems so they can walk through that front door that was left open, he says. Any of these application that are Internet facing, you need to stay so much on top of in patching them because they are a really fast way for an attacker to exploit and compromise networks.
Zoho fixed the
ManangeEngine ADSelfService Plus
authentication-bypass vulnerability (CVE-2021-40539) and notified users on Sept. 6, but within 10 days attackers were already scanning for the critical security issues,
according to a warning issued
by the FBI, US Coast Guard Cyber Command (GCCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA).
More than 11,000 instances of the server software is accessible via the Internet, and at least 370 instances are active in the United States,
according to Palo Alto Networks analysis
.
On compromised systems, the attackers moved quickly to install a publicly available Web shell, known as Godzilla, as well as — in some cases — a backdoor program, NGLite, a custom backdoor program written in the Go language and available on GitHub. Finally, the attackers used a new program that Palo Alto Networks called KdcSponge, which harvests credentials.
KdcSponge will capture the domain name, username and password to a file on the system that the threat actor would then exfiltrate manually through existing access to the server, the analysis stated.
While Zoho issued the original patch two months ago, Palo Alto Networks Olson worries that many companies are still vulnerable. Zoho fixed the issue, but companies have to update to get the patch and not everyone does that right away, he says.
Companies should patch the issue, if they have not already, and then conduct an incident response investigation, because if the attackers already gained access, patching will not secure a companys network, says Olson.
Palo Alto Networks continues to see scanning for the issue.
The findings underscore the need for organizations to quickly respond to disclosures of critical vulnerabilities by installing patches and taking other precautions to block attacks, the company said in a statement. This is especially the case for high-value targets in critical sectors that are constantly being probed for vulnerabilities.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Zoho ManageEngine Flaw Highlights Risks of Race to Patch