We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Aliases: No associated aliases
Microsoft Defender Antivirus detects and removes this threat.
Threat actors exploit the CVE-2021-40539 vulnerability to compromise systems running the ZOHO ManageEngine ADSelfService Plus software.
Threat actors could take control of the target device and perform several activities including credential dumping, installing custom binaries, and dropping malware, such as a custom IIS module and the Zebracon trojan, to maintain persistence and move laterally within the network.
Read the following Microsoft Security blog for more information:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
Microsoft 365 Defender correlates any related alerts into incidents to help customers determine if the observed alerts are related to this activity, and to get an overview of the attack story. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to this activity. Additionally, Threat and Vulnerability Management (TVM) in Microsoft 365 Defender supports insights related to CVE-2021-40539. Microsoft 365 Defender customers can find any affected devices in their environment and initiate the appropriate version update of the ManageEngine software.