USG Warns Of 'Critical' Vulnerability That Poses 'Serious Risk' To Defense Contractors, Others – Breaking Defense

Want the latest defense industry news? Sign up for the Breaking Defense newsletter.

WASHINGTON: The US government issued a joint advisory today warning of the ongoing “active exploitation” of a “critical” vulnerability in a popular password management solution, which “poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software.”
The vulnerability, CVE-2021-40539, is in Indian tech company Zoho’s ManageEngine ADSelfService Plus, a tool intended to help users create and use strong passwords as well as manage two-factor authentication and single sign-on (SSO) functionality. ManageEngine is used by organizations as a self-service password solution for cloud applications, virtual private networks (VPNs), and other enterprise IT assets often linked to Microsoft’s Active Directory. Active Directory is used by organizations to administer employees’ credentials, privileges, and access controls for organizational IT resources.
Zoho released a patch for the vulnerability nine days ago, and since then, exploits have been detected by the Federal Bureau of Investigation, Coast Guard Cyber Command, and the Cybersecurity and Infrastructure Security Agency, which is Homeland Security’s cyber lead.
“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” the joint advisory notes, without specifying the specific actors. APT often refers to nation-states.
The government is advising users and organizations to patch the vulnerability immediately and “urging” users to “ensure ADSelfService Plus is not directly accessible from the internet.”
The vulnerability is an authentication bypass that affects ManageEngine’s representational state transfer (REST) application programming interface (API) URLs, according to the advisory. REST APIs are a common technology used by apps and servers to pass information back and forth. This vulnerability “could enable” remote code execution, the advisory notes.
Following the initial exploit, threat actors are “frequently writing web shells” for follow-on attacks, the joint advisory says. Web shells are malicious scripts that can give threat actors remote administrative control of and persistent access to compromised devices (usually servers), as well as allowing lateral movement across organizational networks, among other capabilities. Web shells were used extensively in follow-on attacks in the widespread Microsoft Exchange server hacks earlier this year.
As in the SolarWinds campaign, threat actors are targeting Microsoft’s Active Directory in ManageEngine follow-on attacks. Active Directory holds an organization’s user names and passwords and allows administrators to create new accounts, grant/limit account privileges, and add/remove access controls, among other tasks. FireEye CEO Kevin Mandia called Active Directory the “keys to the kingdom” during congressional testimony on SolarWinds earlier this year.
The FBI, CGCYBER, and CISA are “proactively investigating and responding to this malicious cyber activity.” The scale of the hacks is unclear at this time.
A bright future for tactical vehicles. See Breaking Defense Game Changer here.
A bright future for tactical vehicles. See Breaking Defense Game Changer here.
“Our focus is to get the sensors and information architecture correct. We might have to change other capabilities out for that if necessary,” said Jez Holmes, Head of the RAF’s Rapid Capabilities Office.
By
Topics: , , , , , , ,
Supportability issues that affected the availability and performance of early, stealthy aircraft are being addressed by Northrop Grumman on this new program.
Supportability issues that affected the availability and performance of early, stealthy aircraft are being addressed by Northrop Grumman on this new program.
Raytheon Technologies is using our broad capabilities to create breakthrough advantages.
Raytheon Technologies is using our broad capabilities to create breakthrough advantages.
Sign up and get Breaking Defense news in your inbox.
Rheinmetall’s hybrid solution integrates next-generation active and passive technologies for effective layered defense in a weight and power portfolio that works
Rheinmetall’s hybrid solution integrates next-generation active and passive technologies for effective layered defense in a weight and power portfolio that works
Want the latest defense industry news? Sign up for the Breaking Defense newsletter.
Copyright © 2021 Breaking Media, Inc. All rights reserved. Registration or use of this site constitutes acceptance of our Terms of Service and Privacy Policy.
Privacy Center | Do not sell my information




source