US Homeland Security warns of widespread attacks via Soho ADSelfService Plus

U.S. Department of Homeland Security Cyber ​​Security and Infrastructure Security Agency (CISA) warns with Federal FBI and US Coast Guard Cyber ​​Command (CGCYBER) Before an important break in the single login system of Indian software company Joho. The ADSelfService Plus component of Soho’s ManageEngine software system has been compromised. According to the CISA, vulnerable software is used by many organizations, including US government-recognized universities and security agencies.

The dream of every executive

Vulnerability (CVE-2021-40539) is classified as critical with a CVSS score of 9.8 (maximum 10 points). Attackers may misuse the vulnerability to avoid logging into the software and execute any malicious code from the public network using the REST API. This is especially significant because ADSelfService Plus manages access data for a company’s cloud accounts and Windows Active Directory data. This hole is ideal for gaining access to an organization’s systems and then from there to all parts of the network – called the attacker’s lateral movement.

And have already noticed attacks like CISA, FBI and CGCYBER. U.S. officials therefore warn companies and organizations affected immediately to secure any installation of ADSelfService Plus as soon as possible. Joho has Related Update (Security Amendment 6114) Released, any administrators should install soon now – if they have not already done so.

Attacks are difficult to detect

Since attackers can steal administrative access data for all systems on the enterprise network by misusing the security gap, including personal PCs on the network, the cleaning task is not completed after the patch is installed in the management. Administrators also need to make sure that attackers have not already infiltrated the network and set foot in other organizations. According to the CISA, the gap is actively exploited by well-organized ABD groups, who are usually more efficient at hiding traces of their attacks, making it harder to find attackers on their own network.

To exploit the hole, attackers are currently loading into a web hole target system disguised as X.509 certification via a REST API. The alleged certificate is actually the Java Server Pages (JSP) in the zip archive. Further access to other API hotspots causes the computer web shell to run, giving the attacker access to the system. From there, it goes to the domain controller on the network via the Windows Management Tool (WMI).

Indicators of compromise

The CISA, FBI and CGCYBER recommend looking at the following attack methods:

• Used to go from computer to computer and run malicious code on the wmic.exe network
• Simple text reads Windows login data from an accepted ADSelfService-Plus system
• page_dump.exe Used to read databases from ManageEngine
• Data from NTDS.dit and the registration terminal SECURITY/SYSTEM/NTUSER Are read out
• The data collected on the network is then discharged via web tiles
• The shadowy maneuvers are obscured by the use of already compromised, formal-looking American infrastructure
• Attackers specifically filter out record entries that they may reveal

U.S. officials recommend upgrading and raising awareness of the ADSelfService-Plus service and changing all passwords on the domain and resetting Kerberos Ticket Granting Tickets (TGTs) when accessing the NTDS.dit file.

(Fab)