US government agencies urge immediate action to look for indicators of compromise and, if found, take recommended steps to mitigate. Credit: Thinkstock Cyberespionage groups are exploiting a critical vulnerability patched earlier this month in ManageEngine ADSelfService Plus, a self-service password management and single sign-on (SSO) solution for Active Directory environments. The FBI, CISA and the United States Coast Guard Cyber Command (CGCYBER) urge organizations who use the product to deploy the available patch as soon as possible and check their systems for signs of compromise.“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” the three agencies said in a joint advisory. “The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software.”Authentication bypass and RCEThe exploited vulnerability is tracked as CVE-2021-40539 and allows attackers to bypass authentication requirements by sending specially crafted requests to the product’s REST API URLs. This authentication bypass provides attackers with access to functionality that can enable remote code execution. ManageEngine, a division of SaaS provider Zoho, patched the flaw on September 6 in ADSelfService Plus build 6114. Zoho’s and CISA’s advisories do not specify whether the flaw was discovered in the wild or whether attackers started exploiting it after the patch was released. Attacks observed so far leverage the vulnerability to upload web shells — web-based backdoor scripts — on the web servers hosting vulnerable ADSelfService deployments. These web shells then allow attackers to conduct post-exploitation activities including stealing administrative credentials and moving laterally through the network to other systems.The attack chainAttackers first upload a .zip file containing a JavaServer Pages (JSP) web shell that masquerades as an x509 certificate called service.cer. This file is placed in the ManageEngineADSelfService Plusbin directory. The final web shell deployment is called ReportGenerate.jsp and is in the ManageEngineADSelfService Plushelpadmin-guideReports folder. The presence of either of these two files is an indication that the system has been compromised. According to the ManageEngine advisory, users can also inspect the access log and server out log for entries that could indicate a successful attack. If there is reason to believe the machine has been compromised, ManageEngine recommends the following steps:Disconnect the machine with the installation from your network.Create a copy of the database backup file and store it elsewhere.Format the compromised machine.Download and install ManageEngine ADSelfService Plus. The build of the new installation should be the same as that of the backup.Restore the backup and start the server. It is recommended to use a different hardware setup for the new installation.Once the server is up and running, update the installation to the latest build, 6114, using the service pack.Check for unauthorized access to or use of accounts. Also, check for any evidence of lateral movement from the compromised machine to other machines. If there are any indications of compromised Active Directory accounts, initiate password reset for those accounts.According to CISA, in the attacks observed so far, hackers used the Windows Management Instrumentation (WMI) via the wmic.exe utility for lateral movement and remote code execution. Since ADSelfService Plus is a password management and SSO solution, the attackers also acquired plaintext credentials from the compromised deployments for lateral movement.The attackers also dumped and exfiltrated the ManageEngine databases, the Ntds.dit file which stores Active Directory data and the SECURITY/SYSTEM/NTUSER registry hives from compromised systems. To make detection harder they deleted logs and used compromised US-based infrastructure in the attacks. “APT cyber actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors — including transportation, IT, manufacturing, communications, logistics, and finance. Illicitly obtained access and information may disrupt company operations and subvert US research in multiple sectors,” the FBI, CISA and CGCYBER said. Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe