News

APT actors exploiting newly identified vulnerability in ManageEngine ADSelfService Plus

  • None--www.securitymagazine.com
  • published date: 2021-09-17 00:00:00 UTC

None

<div class="body gsd-paywall article-body"><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">According to a joint advisory released by multiple agencies, state-backed advanced persistent threat (APT) groups are likely among those exploiting a critical flaw in a Zoho single sign-on and password management solution since early August 2021. </span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">The joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—self-service password management and single sign-on solution.</span></p> <div id="div-gpt-ad-article-body-sky-mobile" class="advertisement"></div> <p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">The FBI, CISA and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a severe risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.</span></p> <div id="div-gpt-ad-sidebar-sky-mobile" class="advertisement"></div> <p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Jake Williams, Co-Founder and CTO at </span><a href="https://breachquest.com/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">BreachQuest</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">, an Augusta, Georgia-based leader in incident response, explains, "While patching is important (and especially so with such a high impact vulnerability), organizations should note the frequent use of web shells as a post-exploitation payload. In this case, threat actors have been observed using web shells that were disguised as certificates. Thissort of activity should stand out in web server logs - but only if organizations have a plan for detection. Given that this will certainly not be the last vulnerability that results in web shell deployment, organizations are advised to baseline normal behavior in their web server logs so they can quickly discover when a web shell has been deployed."</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">The FBI, CISA and CGCYBER have reports of malicious cyber actors using exploits against CVE-2021-40539 to gain access [</span><a href="https://attack.mitre.org/techniques/T1190/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1190</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">] to ManageEngine ADSelfService Plus as early as August 2021. The actors have been observed using various tactics, techniques, and procedures (TTPs), including:</span></p><ul style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Frequently writing webshells [</span><a href="https://attack.mitre.org/techniques/T1505/003/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1505.003</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">] to disk for initial persistence</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Obfuscating and Deobfuscating/Decoding Files or Information [</span><a href="https://attack.mitre.org/techniques/T1027/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1027</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> and </span><a href="https://attack.mitre.org/techniques/T1140/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1140</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Conducting further operations to dump user credentials [</span><a href="https://attack.mitre.org/techniques/T1003/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1003</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Living off the land by only using signed Windows binaries for follow-on actions [</span><a href="https://attack.mitre.org/techniques/T1218/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1218</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Adding/deleting user accounts as needed [</span><a href="https://attack.mitre.org/techniques/T1136/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1136</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Stealing copies of the Active Directory database (NTDS.dit) [</span><a href="https://attack.mitre.org/techniques/T1003/003/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1003.003</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">] or registry hives</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Using Windows Management Instrumentation (WMI) for remote execution [</span><a href="https://attack.mitre.org/techniques/T1047" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1047</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Deleting files to remove indicators from the host [</span><a href="https://attack.mitre.org/techniques/T1070/004/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1070.004</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Discovering domain accounts with the net Windows command [</span><a href="https://attack.mitre.org/techniques/T1087/002/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">1087.002</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Using Windows utilities to collect and archive files for exfiltration [</span><a href="https://attack.mitre.org/techniques/T1560/001/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1560.001</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> <li style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; list-style-type:disc;"> <span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Using custom symmetric encryption for command and control (C2) [</span><a href="https://attack.mitre.org/techniques/T1573/001/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">T1573.001</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">]</span> </li> </ul><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Sean Nikkel, Senior Cyber Threat Intel Analyst at </span><a href="https://www.digitalshadows.com/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">Digital Shadows</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">, a San Francisco-based provider of digital risk protection solutions, says, "The recently reported ManageEngine vulnerability is the fifth instance of similar, critical vulnerabilities from ManageEngine this year. Notably, these vulnerabilities are severe in that they allow either remote code execution or the ability to bypass security controls. Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers or other services. Attackers can then take advantage of "blending in with the noise" of everyday system activity. It's reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes. The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future. Users of Zoho's software should apply patches immediately to avoid the types of compromise described in the CISA bulletin."</span></p> <div id="div-gpt-ad-sidebar-mrect-mobile" class="advertisement"></div> <p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Considering the amount of access and control these tools have, IT security teams must take immediate steps to remediate fully, says Yaniv Bar-Dayan, CEO and co-founder at </span><a href="https://vulcan.io/" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">Vulcan Cyber</span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">, a provider of SaaS for enterprise cyber risk remediation. Bar-Dayan adds, "Zoho has a patch, but it is just a patch for one vulnerable component of what is a multi-layered, advanced persistent threat. Apply the patch, but also make sure to eliminate direct access to ManageEngine software from the Internet where possible. If APT groups get access to systems management tools, they get the keys to the kingdom. Move quickly."</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">The FBI, CISA, and CGCYBER are proactively investigating and responding to this malicious cyber activity. The </span><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">FBI, for instance, is leveraging specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI's 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies.</span><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"></span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">CISA also offers a range of no-cost </span><a href="https://www.cisa.gov/cyber-hygiene-services" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;" target="_blank"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt; color: #4a6ee0;">cyber hygiene services </span></a><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">to help organizations assess, identify, and reduce their exposure to threats. Organizations of any size could find ways to reduce their risk and mitigate attack vectors by requesting these services.</span><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"></span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">CGCYBER has deployable elements that provide cyber capability to marine transportation system critical infrastructure in proactive defense or response to incidents.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p><br></p><p><br></p><p><br></p></div>