Threat actors are busy exploiting a known vulnerability
in Zoho’s password management service
ManageEngine AdSelfService Plus.
Not surprisingly,
this is a vulnerability
for which a patch was made publicly available
on September 6.
However,
some users and administrators have not made the necessary update,
so this vulnerability is still being exploited these days.

Attackers found an open door

The vulnerability
that’s the subject of this post
is known as CVE-2021-40539.
The Common Vulnerability Scoring System (CVSS) has rated it as critical,
given that systems
that have missed the update
have been exposed to remote code execution.
We explained this risk in a previous post.
It means
unpatched systems would allow
internal or external attackers
to trigger unexpected actions remotely
(e.g., deploy malware, archive files).

ManageEngine released
a flowchart revealing the CVE-2021-40539 exploit analysis
(see Figure 1),
along with instructions
on how to fix the vulnerability.
According to their analysis,
the attackers gained access
equivalent to an authenticated user
without the authentication procedure ever having taken place.
To do this,
they used a URL.
So,
rather than using valid credentials,
they entered a specially crafted path
that permitted them to avoid the authentication check.
Furthermore,
the Cybersecurity and Infrastructure Security Agency (CISA),
alongside the Federal Bureau of Investigation (FBI)
and the United States Coast Guard Cyber Command (CGCYBER),
investigated the tactics,
techniques and procedures used by threat actors
exploiting ManageEngine’s vulnerability.
The CISA published this information in an alert
on September 16.

Once they gained access to the system,
the threat actors were able to do several modifications.
For example,
they removed accounts
but also created their own
to have credentials at their disposal.
They could also remove indicators,
such as traces of software they installed,
to avoid something giving them away.
They frequently used web shells,
that is,
web scripts that allowed them to use the web server
as a gateway into the network.
This way,
they could establish persistent access to the systems.
Importantly,
threat actors were able to steal credentials,
gain access to domain accounts
and archive files for exfiltration.

In the advisory,
users and administrators were urged to apply the patch.
We will see that
some remained unaware of the risk.

No-patch November

The attacks continued
even after the advisory was posted.
Researchers at Palo Alto Networks’ Unit 42
reported
that threat actors compromised networks
of at least nine organizations
in the sectors of education,
technology, defense, healthcare and energy
between September and October.
They believe
the attacks targeted at least 370 servers in the US.
However,
they say that the events
following the CISA advisory
belong to a different campaign
to the one described above.

This time,
the threat actors deployed publicly downloadable programs
to maintain access and anonymity.
Respectively,
a web shell called Godzilla
and a Trojan named NGLite.
They also used KdcSponge,
a password-stealing tool
that injects itself into the Local Security Authority Subsystem Service
(LSASS) process,
where the system generates and stores a variety of credential materials.
There,
the tool collected usernames and passwords.

The Microsoft Threat Intelligence Center (MSTIC)
attributed
this recent campaign to DEV-0322,
based on the pattern of their attacks,
including their procedures and victims.
It is worth mentioning that
MSTIC gave the threat actors that name.
As they explain,
they use “DEV-#### designations
as a temporary name
given to an unknown,
emerging, or developing cluster of threat activity.”

MSTIC first observed this new campaign on September 22.
They listed three malicious activities
that characterize the attacks.
One of them is credential dumping.
The threat actors occasionally deployed a tool,
which they called elrs.exe in their code.
This tool can read security events and collect domains,
usernames and IP addresses.
Another characteristic is that,
after gaining credentials,
the threat actors installed malicious components
that extend the functionality of the server.
So,
for example,
by executing commands through new components,
the threat actor could observe incoming authentication credentials
and harvest them.
These could then be encoded and written in a file.
Lastly,
the threat actors deployed a Trojan
that Microsoft is calling “Zebracon.”
This malware can make connections to compromised email servers
to search through, read and send emails.

Deal with software vulnerabilities right now!

As we explained in a previous post,
it’s important to keep your software components updated
and be aware of their vulnerabilities.
The risk of exploitation is ever so present,
as we learned that
the incident rate of using vulnerable and outdated components augmented
between the recent OWASP Top 10 and its predecessor.

Admittedly,
the process of handling vulnerabilities on your own may be overwhelming.
A recent post
in Security Intelligence
suggests that the reason for this is that
the sum of detected vulnerabilities can amount to hundreds of thousands.
That is why you may want a helping hand.
This is where Fluid Attacks comes in.
We aim to find the vulnerabilities in your software
and report them to you asap.
After finding out which are your vulnerabilities,
you can start to handle those nearest to mission-critical tasks.
All this before malicious actors get their way in.
Of course,
we perform reattacks to check whether the vulnerabilities
we found in your software
have been successfully remediated.

Interesting,
right?
Contact us
and learn a lot more
about our Continuous Hacking service!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/zoho-vulnerability/