Posted on September 19, 2021 at 7:34 AM

FBI Issues Warning against Zoho Bug used by Hackers

The United States Federal Bureau of Investigations has taken the time to warn users that hackers could be exploiting the crucial Zoho bug in implementing their attacks. In their messages, the FBI encourages companies to update their Zoho ADSelfService Plus to save themselves from the dreaded attacks.

A joint advisory between the Coastal Guard Cyber Command (CGCUBER), FBI, and the CISA, critical warnings are now being passed to organizations more than ever before because the threat of being targeted by the hackers is real. The warnings are directed to enterprise companies concerning the threat groups who are believed to be sponsored by the state as advanced persistent threat (APT) bodies to take advantage of software vulnerabilities associated with Zoho actively.

Zoho can be perceived to be software for reporting expenses of an organization and as developed to help entities and establishments in their efforts to develop their businesses. Zoho Expense has received multiple upgrades like enhancement of user control, capacity for control with associated business, and most recently, budget creation and tracking right from the software’s dashboard.  

Organizations can also set up customizable alerts to help them avoid overspending and going against set budgets. They can also block more applications automatically while taking advantage of the new rule engine to ensure that their finance departments abide by the compliance requirements.

Security flaw associated with the Zoho bug

Tracked to be CVE-2021-40539, the flaw was a discovery found within Zoho’s ManageEngine ADSelfService Plus, software that enables both single sign-on and capabilities related to password management. The exploitation of such a flaw possitions the attacker in an extraordinary state where they can take control over all the flawed systems within the network of that particular company.

The warning passed by this security advisory committee comes a period after the same warnings had also been issued by the CISA to other companies on matters to do with the vulnerability within their security systems. In their address, CISA made sure that companies knew that the flaw was subject to exploitation and that if this happened, the hackers would have remote access code implementation abilities.

CISA gave out more information on how hackers were taking advantage of the system flaws, citing that the attacking ManageEngine ADSelfService Plus was inspired by the level of threat a successful attack would have on the infrastructure of the targeted companies, which included critical infrastructure firms, United States cleared defence contractors, and schools, among other institutions using Zoho software.

Effects of a successful attack

When hackers or threat attackers successfully exploited the vulnerability, they would be able to install webshells into the system, an action that makes it possible for them to carry out other dreadful activities even after the attack, including leaking confidential credentials of the victim’s administration, performing lateral movements, and penetrating hives of the registry among other files held by the directory.

As concerns lateral movement, vulnerabilities within the authentication of ManageEngine ADSelfService are a very popular area of exploitation. Every time this happens, the threat attackers take advantage of the flaw to position JavaServer Pages (JSP) webshells that mimic the form of X509 certificate.

With the deployment or positioning of these webshells, hackers can easily make lateral movements within the company’s network through Windows Management Instrumentation (WMI). This also grants them entry into controllers of individual domains to set up both security and system hives and NTDS.s.

It is important to note that these groups called the advanced persistent threat attackers, are increasingly taking advantage of this particular system flaw in other parts of the world. They launch attacks against companies in different industries, including but not limited to the transportation sector, IT, education, security and defence, communications, transport and logistics, manufacturing and even finance.

Companies using Zoho ManageEngine ADSelfService Plus software are therefore advised to update the software packages they are using to the latest version as this comes with improved security protocols and provisions. The latest version was launched only recently and featured a patch to improve CVE-2021-40539, thereby positioning the concerned servers and systems in a safer mode of operation where the threat attackers may not access their networks and compromise the integrity of their operations.

The joint system security advisory committee formed by the CISA, FBI, and the CGCYBER has also proposed that companies ensure that the ADSelfService Plus package they are using cannot be accessed directly through the internet. This helps protect them against hacking attacks that would otherwise capitalize on such vulnerability.

Zoho has upgraded its fraud detection provision to help organizations identify and report fake receipts and fraudulent citations such as duplicated entries. The new upgrade also provides for flows in their approval mechanisms that can be customized. With these developments, companies have an extra measure of control over their system.