- “The FBI, CISA, and CGCYBER assess that advanced persistent threat cyber actors are likely among those exploiting the vulnerability,” the joint advisory notes
The US government has issued a joint advisory today warning of the ongoing “active exploitation” of a “critical” vulnerability in a popular password management solution, which “poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software.”
The vulnerability, CVE-2021-40539, is in Indian tech company Zoho’s ManageEngine ADSelfService Plus, a tool intended to help users create and use strong passwords as well as manage two-factor authentication and single sign-on (SSO) functionality. ManageEngine is used by organizations as a self-service password solution for cloud applications, virtual private networks (VPNs), and other enterprise IT assets often linked to Microsoft’s Active Directory. Active Directory is used by organizations to administer employees’ credentials, privileges, and access controls for organizational IT resources.
Zoho released a patch for the vulnerability nine days ago, and since then, exploits have been detected by the Federal Bureau of Investigation, Coast Guard Cyber Command, and the Cybersecurity and Infrastructure Security Agency, which is Homeland Security’s cyber lead.
“The FBI, CISA, and CGCYBER assess that Advanced Persistent Threat (APT) cyber actors are likely among those exploiting the vulnerability,” the joint advisory notes on Thursday, without specifying the specific actors. APT often refers to nation-states.
The government is advising users and organizations to patch the vulnerability immediately and “urging” users to “ensure ADSelfService Plus is not directly accessible from the internet.”
The vulnerability is an authentication bypass that affects ManageEngine’s representational state transfer (REST) application programming interface (API) URLs, according to the advisory. REST APIs are a common technology used by apps and servers to pass information back and forth. This vulnerability “could enable” remote code execution, the advisory notes.
Following the initial exploit, threat actors are “frequently writing web shells” for follow-on attacks, the joint advisory says. Web shells are malicious scripts that can give threat actors remote administrative control of and persistent access to compromised devices (usually servers), as well as allowing lateral movement across organizational networks, among other capabilities. Web shells were used extensively in follow-on attacks in the widespread Microsoft Exchange server hacks earlier this year.
As in the SolarWinds campaign, threat actors are targeting Microsoft’s Active Directory in ManageEngine follow-on attacks. Active Directory holds an organization’s user names and passwords and allows administrators to create new accounts, grant/limit account privileges, and add/remove access controls, among other tasks. FireEye CEO Kevin Mandia called Active Directory the “keys to the kingdom” during congressional testimony on SolarWinds earlier this year.
The FBI, CGCYBER, and CISA are “proactively investigating and responding to this malicious cyber activity.” The scale of the hacks is unclear at this time.
The above article was first published in Breaking Defense, https://breakingdefense.com/2021/09/usg-warns-of-critical-vulnerability-that-poses-serious-risk-to-defense-contractors-others/?utm_campaign=Breaking%20News&utm_medium=email&_hsmi=160484854&_hsenc=p2ANqtz–8bRWL0iVqOY8ehf_Kza0SK2GYh9rsxt7YqqL0d21R0zeX3wi6AF7OiOxGeToQj_BycCFnqmkrrDlqMrbVXsY14tMV5Q&utm_content=160484854&utm_source=hs_email