UPDATED on Sept. 18 at 6:45 p.m. ET with comment from a CISA official.
WASHINGTON: The US government issued a joint advisory Thursday warning of the ongoing “active exploitation” of a “critical” vulnerability in a popular password management solution, which “poses a serious risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software.”
A Cybersecurity and Infrastructure Security Agency (CISA) official told Breaking Defense after this report’s original publication, “As exploitation of this product can lead to full identity compromise, CISA is taking this vulnerability very seriously and requests information from any organizations that may have been impacted.”
Thursday’s warning said that the “FBI, CISA, and [Coast Guard Cyber Command] assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability,” without specifying the specific actors. APT often refers to nation-states.
But as of Saturday, the CISA official said the agency had “no knowledge of any exploitation of this vulnerability in the federal government.”
The vulnerability, CVE-2021-40539, is in Indian tech company Zoho’s ManageEngine ADSelfService Plus (ADSSP), a tool intended to help users create and use strong passwords as well as manage two-factor authentication and single sign-on (SSO) functionality. ADSSP is used by organizations as a self-service password solution for cloud applications, virtual private networks (VPNs), and other enterprise IT assets often linked to Microsoft’s Active Directory. Active Directory is used by organizations to administer employees’ credentials, privileges, and access controls for organizational IT resources.
Zoho released a patch for the vulnerability nine days ago, and since then, exploits have been detected by the FBE, CGCYBER, and CISA, which is Homeland Security’s cyber lead.
The government Thursday advised users and organizations to patch the vulnerability immediately and “urging” users to “ensure ADSelfService Plus is not directly accessible from the internet.”
The vulnerability is an authentication bypass that affects ADSSP’s representational state transfer (REST) application programming interface (API) URLs, according to the advisory. REST APIs are a common technology used by apps and servers to pass information back and forth. This vulnerability “could enable” remote code execution, the advisory notes.
Following the initial exploit, threat actors are “frequently writing web shells” for follow-on attacks, the joint advisory says. Web shells are malicious scripts that can give threat actors remote administrative control of and persistent access to compromised devices (usually servers), as well as allowing lateral movement across organizational networks, among other capabilities. Web shells were used extensively in follow-on attacks in the widespread Microsoft Exchange server hacks earlier this year.
As in the SolarWinds campaign, threat actors are targeting Microsoft’s Active Directory in ADSSP follow-on attacks. Active Directory holds an organization’s user names and passwords and allows administrators to create new accounts, grant/limit account privileges, and add/remove access controls, among other tasks. FireEye CEO Kevin Mandia called Active Directory the “keys to the kingdom” during congressional testimony on SolarWinds earlier this year.
The FBI, CGCYBER, and CISA are “proactively investigating and responding to this malicious cyber activity.” The scale of the hacks is unclear at this time.
A new approach to speed, scale and efficiency for the industrial base
Radars, EW, EO/IR, space imagery, and microelectronics are brought under one roof for a streamlined approach to common people and factories.
As Pentagon awaits supplemental dollars, its operational funding is $2B in the hole
The House is teeing up a series of votes this weekend on separate supplemental spending bills for Israel, Taiwan and Ukraine.
