APT players exploit flaw in ManageEngine’s single sign-on solution
Cyber espionage groups are exploiting a critical vulnerability addressed earlier this month in ManageEngine ADSelfService Plus, a self-service password management and single sign-on (SSO) solution for Active Directory environments. The FBI, CISA, and United States Coast Guard Cyber Command (CGCYBER) are urging organizations using the product to deploy the available patch as soon as possible and verify their systems for signs of compromise.
“The FBI, CISA and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” the three agencies said in a joint advisory. “The operation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US approved defense contractors, academic institutions and others who use the software.
Authentication Bypass and RCE
The exploited vulnerability is tracked as CVE-2021-40539 and allows attackers to bypass authentication requirements by sending specially crafted requests to product REST API URLs. This authentication bypass allows attackers to access features that can allow remote code execution.
ManageEngine, a division of SaaS provider Zoho, patched the flaw on September 6 in ADSelfService Plus build 6114. Zoho and CISA advisories do not specify whether the flaw was discovered in the wild or whether attackers have started to exploit it after the patch is released.
The attacks seen so far exploit the vulnerability to upload web shells – web-based backdoor scripts – to web servers hosting vulnerable ADSelfService deployments. These web shells then allow attackers to conduct post-exploitation activities, including theft of administrative credentials and lateral displacement of the network to other systems.
The attack chain
The attackers first download a .zip file containing a JavaServer Pages (JSP) web shell that masquerades as an x509 certificate called service.cer. This file is placed in the ManageEngine ADSelfService Plus bin directory. The final web shell deployment is called ReportGenerate.jsp and is located in the ManageEngine ADSelfService Plus help admin-guide Reports folder.
The presence of either of these two files is an indication that the system has been compromised. According to the ManageEngine advisory, users can also inspect the server access log and exit log for entries that could indicate a successful attack. If there is reason to believe that the machine has been compromised, ManageEngine recommends the following steps:
- Disconnect the machine with the installation from your network.
- Create a copy of the database backup file and store it elsewhere.
- Format the compromised machine.
- Download and install ManageEngine ADSelfService Plus. The construction of the new installation must be the same as that of the backup.
- Restore the backup and start the server. It is recommended to use a different hardware configuration for the new installation.
- After the server is operational, update the installation to the latest version, 6114, using the service pack.
- Check for unauthorized access or use of accounts. Also check that there is no sign of lateral movement of the compromised machine to other machines. If there are indications of compromised Active Directory accounts, initiate password reset for those accounts.
According to CISA, in the attacks seen so far, hackers have used Windows Management Instrumentation (WMI) through the wmic.exe utility for lateral movement and remote code execution. Because ADSelfService Plus is a password management and single sign-on solution, attackers also acquired clear text credentials from compromised deployments for lateral movement.
The attackers also emptied and exfiltrated the ManageEngine databases, the Ntds.dit file which stores Active Directory data, and the SECURITY / SYSTEM / NTUSER registry hives from the compromised systems. To make detection more difficult, they deleted the logs and used compromised US infrastructure in the attacks.
“APT cyber actors have targeted academic institutions, defense contractors and critical infrastructure entities in several industrial sectors, including transportation, IT, manufacturing, communications, logistics and finance. several sectors, ”said the FBI, CISA and CGCYBER.
Copyright © 2021 IDG Communications, Inc.