The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal FBI and the US Coast Guard’s Cyber Command (CGCYBER), warns before a critical gap in the single sign-on system of the Indian software company Zoho. Affected is the ADSelfService Plus component of Zoho’s software system ManageEngine. According to CISA, the vulnerable software is used by a large number of organizations – including universities and defense companies approved by the US government.
Every admin’s nightmare
The vulnerability (CVE-2021-40539) is classified as critical with a CVSS score of 9.8 (out of a maximum of 10 points). Attackers can misuse the vulnerability to bypass logging into the software and execute any malicious code from the public network using the REST API. This is particularly dramatic because ADSelfService Plus manages access data for a company’s cloud accounts and Windows Active Directory data. The loophole is ideal for gaining access to the systems of an organization and then moving from there to all areas of the network – so-called lateral movement of the attacker.
And CISA, FBI and CGCYBER have already observed such attacks. The US authorities therefore urgently warn affected companies and organizations to secure any installations of ADSelfService Plus as soon as possible. Zoho has a corresponding update (Security Fix 6114) published, which admins should now install as soon as possible – if they have not already done so.
Attacks can be difficult to detect
Since attackers can steal admin access data for all possible systems in the organizational network through misuse of the security gap, including for individual PCs in the network, the clean-up work after the patch has been installed in the ManageEgine is far from over. Admins must also ensure that attackers have not already infiltrated the network and gained a foothold on other systems. Since, according to CISA, the loophole is actively exploited by well-organized APT groups, which are usually very adept at covering up traces of their attacks, it could be difficult to track down the attackers in your own network.
To exploit the loophole, attackers are currently loading a web shell disguised as an X.509 certificate onto the target system via a REST API. The alleged certificate is actually Java Server Pages (JSP) in a ZIP archive. Further accesses to other API endpoints then cause the system to execute the web shell, which in turn gives the attacker access to the system. From there, it then works its way through the Windows Management Instrumentation (WMI) to the domain controller in the network.
Indicators of Compromise
CISA, FBI and CGCYBER recommend keeping an eye out for the following attackers’ methods:
- wmic.exe is used to move from system to system in the network and to execute malicious code
- Windows logon data in plain text are read from the adopted ADSelfService-Plus system
- pg_dump.exe is used to read databases from the ManageEngine
- Data from NTDS.dit and from the registry node
SECURITY/SYSTEM/NTUSERare read out
- Data collected in the network is later exfiltrated via web shells
- The shady machinations are masked by the use of already compromised, legitimate-looking US infrastructure
- The attackers specifically filter and delete log entries that they could reveal
In addition to an update of the ADSelfService-Plus service and increased vigilance, the US authorities also recommend changing all passwords in the domain and resetting Kerberos Ticket Granting Tickets (TGTs) if the NTDS.dit file was accessed.