US government agencies urge immediate action to look for indicators of compromise and, if found, take recommended steps to mitigate. Credit: Thinkstock Cyberespionage groups are exploiting a critical vulnerability patched earlier this month in ManageEngine ADSelfService Plus, a self-service password management and single sign-on (SSO) solution for Active Directory environments. The FBI, CISA and the United States Coast Guard Cyber Command (CGCYBER) urge organizations who use the product to deploy the available patch as soon as possible and check their systems for signs of compromise.“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” the three agencies said in a joint advisory. “The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software.”Authentication bypass and RCEThe exploited vulnerability is tracked as CVE-2021-40539 and allows attackers to bypass authentication requirements by sending specially crafted requests to the product’s REST API URLs. This authentication bypass provides attackers with access to functionality that can enable remote code execution.ManageEngine, a division of SaaS provider Zoho, patched the flaw on September 6 in ADSelfService Plus build 6114. Zoho’s and CISA’s advisories do not specify whether the flaw was discovered in the wild or whether attackers started exploiting it after the patch was released. Attacks observed so far leverage the vulnerability to upload web shells — web-based backdoor scripts — on the web servers hosting vulnerable ADSelfService deployments. These web shells then allow attackers to conduct post-exploitation activities including stealing administrative credentials and moving laterally through the network to other systems.The attack chainAttackers first upload a .zip file containing a JavaServer Pages (JSP) web shell that masquerades as an x509 certificate called service.cer. This file is placed in the ManageEngineADSelfService Plusbin directory. The final web shell deployment is called ReportGenerate.jsp and is in the ManageEngineADSelfService Plushelpadmin-guideReports folder. The presence of either of these two files is an indication that the system has been compromised. According to the ManageEngine advisory, users can also inspect the access log and server out log for entries that could indicate a successful attack. If there is reason to believe the machine has been compromised, ManageEngine recommends the following steps:Disconnect the machine with the installation from your network.Create a copy of the database backup file and store it elsewhere.Format the compromised machine.Download and install ManageEngine ADSelfService Plus. The build of the new installation should be the same as that of the backup.Restore the backup and start the server. It is recommended to use a different hardware setup for the new installation.Once the server is up and running, update the installation to the latest build, 6114, using the service pack.Check for unauthorized access to or use of accounts. Also, check for any evidence of lateral movement from the compromised machine to other machines. If there are any indications of compromised Active Directory accounts, initiate password reset for those accounts.According to CISA, in the attacks observed so far, hackers used the Windows Management Instrumentation (WMI) via the wmic.exe utility for lateral movement and remote code execution. Since ADSelfService Plus is a password management and SSO solution, the attackers also acquired plaintext credentials from the compromised deployments for lateral movement.The attackers also dumped and exfiltrated the ManageEngine databases, the Ntds.dit file which stores Active Directory data and the SECURITY/SYSTEM/NTUSER registry hives from compromised systems. To make detection harder they deleted logs and used compromised US-based infrastructure in the attacks.“APT cyber actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors — including transportation, IT, manufacturing, communications, logistics, and finance. Illicitly obtained access and information may disrupt company operations and subvert US research in multiple sectors,” the FBI, CISA and CGCYBER said. Related content news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Generative AI Machine Learning news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe