APT actors exploit flaw in ManageEngine single sign-on solution

Cyber-espionage groups are exploiting a critical vulnerability patched earlier this month in ManageEngine ADSelfService Plus, a self-service password management and single sign-on (SSO) solution for Active Directory environments.

The FBI, CISA and the United States Coast Guard Cyber Command (CGCYBER) urge organisations who use the product to deploy the available patch as soon as possible and check their systems for signs of compromise.

“The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” the three agencies said in a joint advisory. “The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software.”

Authentication bypass and RCE

The exploited vulnerability is tracked as CVE-2021-40539 and allows attackers to bypass authentication requirements by sending specially crafted requests to the product’s REST API URLs. This authentication bypass provides attackers with access to functionality that can enable remote code execution.

ManageEngine, a division of software-as-a-service (SaaS) provider Zoho, patched the flaw on September 6 in ADSelfService Plus build 6114. Zoho’s and CISA’s advisories do not specify whether the flaw was discovered in the wild or whether attackers started exploiting it after the patch was released.

Attacks observed so far leverage the vulnerability to upload web shells — web-based backdoor scripts — on the web servers hosting vulnerable ADSelfService deployments. These web shells then allow attackers to conduct post-exploitation activities including stealing administrative credentials and moving laterally through the network to other systems.

The attack chain

Attackers first upload a .zip file containing a JavaServer Pages (JSP) web shell that masquerades as an x509 certificate called service.cer. This file is placed in the ManageEngineADSelfService Plusbin directory. The final web shell deployment is called ReportGenerate.jsp and is in the ManageEngineADSelfService Plushelpadmin-guideReports folder.

The presence of either of these two files is an indication that the system has been compromised. According to the ManageEngine advisory, users can also inspect the access log and server out log for entries that could indicate a successful attack. If there is reason to believe the machine has been compromised, ManageEngine recommends businesses adhere to the following steps:

Disconnect the machine with the installation from the network.
Create a copy of the database back-up file and store it elsewhere.
Format the compromised machine.
Download and install ManageEngine ADSelfService Plus. The build of the new installation should be the same as that of the back-up.
Restore the back-up and start the server. It is recommended to use a different hardware set-up for the new installation.
Once the server is up and running, update the installation to the latest build, 6114, using the service pack.
Check for unauthorised access to or use of accounts. Also, check for any evidence of lateral movement from the compromised machine to other machines. If there are any indications of compromised Active Directory accounts, initiate password reset for those accounts.

According to CISA, in the attacks observed so far, hackers used the Windows Management Instrumentation (WMI) via the wmic.exe utility for lateral movement and remote code execution. Since ADSelfService Plus is a password management and SSO solution, the attackers also acquired plaintext credentials from the compromised deployments for lateral movement.

The attackers also dumped and exfiltrated the ManageEngine databases, the Ntds.dit file which stores Active Directory data and the SECURITY/SYSTEM/NTUSER registry hives from compromised systems. To make detection harder they deleted logs and used compromised US-based infrastructure in the attacks.

“APT cyber actors have targeted academic institutions, defence contractors, and critical infrastructure entities in multiple industry sectors — including transportation, IT, manufacturing, communications, logistics, and finance. Illicitly obtained access and information may disrupt company operations and subvert US research in multiple sectors,” the FBI, CISA and CGCYBER said.