A joint effort by multiple US government agencies has discovered a security threat that exploits Zoho’s ManageEngine ADSelfService Plus, a self-service password management solution with a single sign-on solution. These agencies include the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER) and Cybersecurity and Infrastructure Security Agency (CISA). This task force has designated the vulnerability as CVE-2021-4053, which the Common Vulnerability Scoring System (CVSS) has rated as a critical threat.
CVE-2021-4053 bypasses the authentication in ADSelfService Plus, allowing it to affect this application’s representational state transfer (REST) application programming interface (API) URLs. This exploit could then allow advanced persistent threat (APT) actors to execute code on ADSelfService Plus. Successful use of this exploit would let these actors implement webshells, allowing them to conduct various activities such as compromising administrator credentials, performing lateral accesses to other systems, and exfiltrating Active Directory files and registry hives. As a result, CVE-2021-4053 poses a severe risk to any organizations using this software, which includes many #defense contractors and academic institutions critical to the U.S. government’s IT infrastructure.
The investigating task force first received reports that APT actors were exploiting CVE-2021-40539 as early as August 2021. These exploits attempted to gain access to ADSelfService Plus by using a technique designated as T1190. Actors have also used various other tactics, techniques, and procedures (TTPs) against CVE-2021-40539, including the frequent writing of webshells to obtain initial persistence for the attack. They have also conducted further operations to obtain user credentials, adding user accounts as needed to accomplish these goals.
Additional TTPs that actors have used against the Zoho bug include using Windows Management Instrumentation (WMI) to remotely execute code, using the net Windows command to discover domain accounts and deleting files to remove indications of the attack from the host. Actors have also used various Windows utilities to collect files and otherwise prepare them for exfiltration.
Zoho released build 6114 of ADSelfService Plus on September 6, 2021, which patches CVE-2021-40539. All members of the task force are strongly urging administrators to update to this build while they continue their investigation and respond to attacks against this vulnerability. Organizations using ADSelfService Plus should also ensure this platform isn’t directly accessible via the internet.
The FBI has deployed units specifically trained to deal with CVE-2021-40539 in all of its 56 field offices. CyWatch, the FBI’s operations center, is providing 24/7 support for these units by tracking incidents and communicating field offices and partner agencies. CGCYBER has also deployed its own elements to provide cybersecurity capabilities to critical marine transportation systems in response to these attacks. In addition, CISA offers cyber hygiene services at no cost, helping organizations mitigate their exposure to threats like CVE-2021-40539.
Actors typically execute clean-up scripts that remove signs of the initial exploit of the Zoho vulnerability, making it difficult to confirm that an attack has occurred. These scripts also hide the relationship between the webshells and the exploits they perform, so that administrators are less likely to remove the webshells. Sharing information with taskforce organizations augments their capabilities in identifying these actors and holding them accountable.
Search engines like Google are displaying search results that redirect the user to malicious links when they search for TeamViewer remote desktop software. These links download ZLoader malware onto the users’ system, creating a stealthy infection path that allows the attacker to install additional malware without detection.
This latest ZLoader campaign is an indirect method of infection compared to the traditional approach of phishing. Clicking the link executes a downloader that retrieves the core module and injects it into processes that are currently running on the host system. The latest version of ZLoader also includes other components, which is common practice for this malware family. Malwarebytes has published a paper in collaboration with HYAS that performs a detailed analysis of ZLoader, especially its Command-and-Control (C2) panel. It groups ZLoader variants according to values in their config files and also compares them with Zbots like Terdot that have recently become popular.
ZLoader, also known as Silent Night and ZBot, was first discovered in 2016. It’s a fully-featured banking trojan based on ZeuS, probably the best known banking Trojan. ZLoader is currently in active development, with actors creating many variants over the past decade due to a leak of the ZeuS code in 2011. The latest version of ZLoader implements a Virtual Network Computing (VNC) module that grants attackers access to the target system.
Version 1.0 of this design was compiled at the end of November 2019, although it didn’t have a specific name at that time. It was initially referred to as simply ZLoader/Zbot, which is a generic name for any malware related to ZeuS. Researchers later determined this version of ZLoader was a new family of ZeuS that creators were distributing under the name “Silent Night,” likely a reference to the biochemical weapon of the same name in the 2002 movie xXx.
The latest ZLoader campaign appears to target the customers of Australian and German financial institutions. Their primary purpose is to intercept these users’ web requests to their banking portals, allowing the attackers to obtain the user credentials for those institutions. This campaign is also notable for its unusually strong efforts to avoid detection, which include disabling Windows Defender through a series of commands.
Once a user clicks on a Google ad in a results page, the link will redirect the browser to a fake TeamViewer site controlled by the attacker. The user, believing that this is the real TeamViewer page, will then download an installer for a signed version of the software named Team-Viewer.msi. However, this file is infected with ZLoader, which acts as a first-stage dropper by downloading subsequent droppers that impair the target system’s defenses.
Their first action is to disable all Windows Defender modules with the PowerShell cmdlet Set-MpPreference. Next, they add exclusions to Windows Defender that include *.exe, *.dll and regsvr32 by using the cmdlet Add-MpPreference, which adds the ZLoader components from Windows Defender. If successful, the system will download the ZLoader payload, a DLL file named tim.dll, which begins intercepting web requests from the host system.
Analysts believe that the perpetrators of the current ZLoader campaign are also conducting other campaigns with targets other than TeamViewer. They have found additional artifacts in ZLoader that imitate other popular applications such as Discord and Zoom. The complexity of these attacks has also increased compared to their predecessors, especially with respect to the level of stealthiness. Furthermore, the method of installing the first-stage dropper has changed from enticing victims into opening an infected document to adding links to their search results, which is much more difficult to detect.
The most direct method of preventing an infection by latest version of ZLoader is to avoid clicking on any Google ads displayed on search results for “TeamViewer” and similar terms. If you really do want to download TeamViewer software, ensure that you’re on a page under the https://www.teamviewer.com domain. You can do this by checking your browser’s URL field.
For many small and midsize businesses (SMBs), cybersecurity is a priority but not a core competency. Contact us to learn how Xantrion’s managed security offerings can free you from the burden of cybersecurity and ensure that your entire team, from leadership on down, can work confidently and productively.