CISA warns of APT actors exploiting newly identified vulnerability in ManageEngine ADSelfService Plus – ZDNet

Zoho released a patch for the issue on September 6.
By | September 17, 2021 — 14:03 GMT (22:03 SGT) | Topic: Security
CISA is urging users of Zoho’s ManageEngine ADSelfService Plus to update their tools, noting that APT actors are actively exploiting a recently discovered vulnerability. 
Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes the vulnerability. 
ManageEngine ADSelfService Plus is a widely used self-service password management and single sign-on solution. The critical authentication bypass vulnerability affects representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution.
In a joint advisory sent out this week, CISA, the FBI and the US Coast Guard Cyber Command said APT actors have already targeted “academic institutions, defense contractors and critical infrastructure entities in multiple industry sectors — including transportation, IT, manufacturing, communications, logistics, and finance.”
According to CISA, cybercriminals and nation-states exploiting the vulnerability are able to upload a .zip file containing a JavaServer Pages (JSP) web shell masquerading as an x509 certificate: service.cer. From there, more requests are made to different API endpoints to further exploit the victim’s system, according to the advisory. 
“After the initial exploitation, the JSP web shell is accessible at /help/admin-guide/Reports/ReportGenerate.jsp. The attacker then attempts to move laterally using Windows Management Instrumentation (WMI), gain access to a domain controller, dump NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, continues the compromised access. Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult — the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between the exploitation of the vulnerability and the web shell,” CISA explained. 
“Illicitly obtained access and information may disrupt company operations and subvert US research in multiple sectors. Successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” 
CISA added that organizations need to ensure that ADSelfService is not directly accessible from the internet and the recommended “domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the NTDS.dit file was compromised.”
Threat actors have been exploiting the vulnerability since August, and CISA said they had seen a variety of tactics used to take advantage of the flaw, including frequently writing web shells to disk for initial persistence, obfuscating files or information, conducting further operations to dump user credentials and more. 
Others have used it to add or delete user accounts, steal copies of the Active Directory database, delete files to remove indicators from the host and use Windows utilities to collect and archive files for exfiltration. 
The situation is so serious that the FBI said it is “leveraging specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies.”
CISA is also offering affected organizations help, and the US Coast Guard Cyber Command said it is providing specific cyber coverage for marine transportation system critical infrastructure.
Oliver Tavakoli, CTO at Vectra, told ZDNet that finding a critical vulnerability in the system intended to help employees manage and reset their passwords “is exactly as bad as it sounds.” 
Even if the ADSelfService Plus server were not accessible from the internet, it would be accessible from any compromised laptop, Tavakoli noted.
He added that recovering from an attack will be expensive because “domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets” are disruptive by themselves. The APT groups may have established other means of persistence in the intervening time, he noted. 
BreachQuest CTO Jake Williams said it was important that organizations note the frequent use of web shells as a post-exploitation payload. 
“In this case, threat actors have been observed using web shells that were disguised as certificates. This sort of activity should stand out in web server logs – but only if organizations have a plan for detection,” Williams said. 
“Given that this will certainly not be the last vulnerability that results in web shell deployment, organizations are advised to baseline normal behavior in their web server logs so they can quickly discover when a web shell has been deployed.”
Like Digital Shadows senior cyber threat intel analyst Sean Nikkel, other experts explained that this issue is the fifth instance of similar, critical vulnerabilities from ManageEngine this year. 
These vulnerabilities are severe in that they allow either remote code execution or the ability to bypass security controls, Nikkel told ZDNet. 
“Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers or other services. Attackers can then take advantage of ‘blending in with the noise’ of everyday system activity. It’s reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes,” he said. 
“The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future. Users of Zoho’s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin.”
The vulnerability is part of a larger trend of issues being found with systems management software tools. Vulcan Cyber CEO Yaniv Bar-Dayan compared it to recent issues with SolarWinds, Open Management Infrastructure (OMI), Salt and more. 
“Considering the amount of access and control these tools have, it is critical IT security teams take immediate steps to remediate fully. Zoho has a patch, but it is just a patch for one vulnerable component of what is a multi-layered, advanced persistent threat,” Yaniv Bar-Dayan added. 
“Apply the patch, but also make sure to eliminate direct access to ManageEngine software from the Internet where possible. If APT groups get access to systems management tools, they get the keys to the kingdom. Move quickly.”
By | September 17, 2021 — 14:03 GMT (22:03 SGT) | Topic: Security
Popular slot machine chain Dotty’s reveals data breach exposing SSNs, financial account numbers, biometric data, medical records and more
Bitdefender releases universal decryptor for REvil/Sodinokibi victims hit before July 13
Udemy expands corporate learning platform for businesses with new features
Hewlett Packard Enterprise
Aruba partners with MLS franchise for digitized stadium in Cincinnati
Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions, and alerts from You may unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and Privacy Policy.
You agree to receive updates, promotions, and alerts from You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.
This banking Trojan abuses YouTube to manage remote settings
The spam-spread malware is another headache for Latin America in the cybersecurity realm.
Cyberattacks against the aviation industry linked to Nigerian threat actor
The investigation began after a Microsoft tweet concerning AsyncRAT.
China formally applies to join CPTPP trade pact
The Middle Kingdom would need existing CPTPP members like Australia to reach a consensus for allowing it the join.
How surveillance capitalism will totally transform the domain name system
APNIC’s Geoff Huston predicts a world where paranoid apps add ‘oblivion’ to the DNS to protect privacy. Their privacy, not yours.
NSW to trial geolocation and facial recognition app for home-based quarantine
Along with the NSW trial, Tasmania will also begin a home-based quarantine trial for residents returning from regional New South Wales next week.
Popular slot machine chain Dotty’s reveals data breach exposing SSNs, financial account numbers, biometric data, medical records and more
The breach involved customer driver’s license numbers, passport numbers, financial account and routing numbers, taxpayer identification numbers and credit card numbers, as …
Bitdefender releases universal decryptor for REvil/Sodinokibi victims hit before July 13
Bitdefender’s Bogdan Botezatu said they have tested the tool against recent attacks and found that it cannot yet decrypt attacks after the July 13 date. …
Aruba partners with MLS franchise for digitized stadium in Cincinnati
The 26,000-seat TQL Stadium was designed to be entirely cashless, leveraging a slate of wired and wireless Aruba products.
Google is backing security reviews of these key open-source projects
Google funds the security audit of eight open-source projects, and there are 17 more that need funding support.
© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use