US government warns of “critical” vulnerability that poses “serious risk” to defense contractors, others – Breaking Defense Breaking Defense
WASHINGTON: The US government today issued a joint advisory warning of the ongoing “active exploitation” of a “critical” vulnerability in a popular password management solution, which “poses a serious risk to critical infrastructure companies, US licensed defense contractors, academic institutions, and other entities that use the software.
The vulnerability, CVE-2021-40539, can be found in ManageEngine ADSelfService Plus from Indian technology company Zoho, a tool to help users create and use strong passwords as well as manage two-way authentication. factors and single sign-on (SSO) functionality. ManageEngine is used by organizations as a self-service password solution for cloud applications, virtual private networks (VPNs), and other corporate IT assets often linked to Microsoft’s Active Directory. Active Directory is used by organizations to administer employee credentials, privileges, and access controls for the organization’s computing resources.
Zoho released a patch for the vulnerability nine days ago, and since then exploits have been detected by the Federal Bureau of Investigation, the Coast Guard Cyber Command, and the Cybersecurity and Infrastructure Security Agency, which is the cyber lead. from Homeland Security.
“The FBI, the CISA and the CGCYBER assess that the cyber actors of the advanced persistent threat (APT) are probably among those who exploit the vulnerability”, notes the joint opinion, without specifying the specific actors. APT often refers to nation states.
The government advises users and organizations to fix the vulnerability immediately and “urges” users to “ensure that ADSelfService Plus is not directly accessible from the Internet.”
The vulnerability is an authentication bypass that affects the ManageEngine Representation State Transfer (REST) application programming interface (API) URLs, according to the advisory. REST APIs are a common technology used by applications and servers to pass information back and forth. The vulnerability “could allow” remote code execution, the advisory notes.
After the initial exploit, threat actors “frequently write web shells” for follow-up attacks, the joint notice says. Web shells are malicious scripts that can give threat actors remote administrative control and permanent access to compromised devices (typically servers), as well as allow lateral movement across organizational networks, among other capabilities. Web shells were used extensively in widespread Microsoft Exchange server hacking attacks earlier this year.
As in the SolarWinds campaign, threat actors target Microsoft’s Active Directory in ManageEngine tracking attacks. Active Directory contains usernames and passwords for an organization and allows administrators to create new accounts, grant / limit account privileges and add / remove access controls, among others tasks. FireEye CEO Kevin Mandia called Active Directory “the keys to the kingdom” during a congressional testimony on SolarWinds earlier this year.
The FBI, CGCYBER and CISA “are proactively investigating and responding to this malicious cyber activity.” The extent of the hacks is unclear at this time.