Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Global Companies Compromised via ADSelfService Plus Exploitation

At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.

At least nine global organizations have been compromised in attacks targeting a recent vulnerability in ManageEngine ADSelfService Plus, according to a warning from researchers at Palo Alto Networks.

The vulnerability was made public in early September when zero-day attacks were discovered exploiting CVE-2021-40539, a critical severity (CVSS 9.8) flaw that allows attackers to bypass authentication on the self-service password management and single sign-on solution.

Immediately after, Zoho provided patches for the underlying security defects and the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert to urge administrators to review and apply the patches as soon as possible.

A week later, CISA, the FBI, and the Coast Guard Cyber Command (CGCYBER) issued an advisory to warn of advanced persistent threat (APT) actors targeting the vulnerability in attacks, underlining that academic institutions, critical infrastructure, and defense contractors are at risk the most.

[ READ: Zoho Confirms Zero-Day Authentication Bypass Attacks ]

According to Palo Alto Networks researchers, following the scanning of hundreds of vulnerable ADSelfService Plus deployments on September 17, adversaries started actual exploitation attempts on September 22.

“During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries,” Palo Alto Networks said in a research report.

Following the initial compromise, the threat actor installed a Godzilla webshell onto the vulnerable systems while some organizations were also infected with a new version of the NGLite backdoor. Both are publicly available on GitHub.

Advertisement. Scroll to continue reading.

Leveraging these tools, the adversaries then moved laterally onto the compromised network and exfiltrated data of interest. On domain controllers, the attackers installed the KdcSponge credential-stealing tool.

Palo Alto Networks said it was unable to associate the activity with a known adversary, but did observe similarities with the tactics and tooling used by Emissary Panda (TG-3390, APT27).

Consistent across the attacks was the fact that sensitive files were exfiltrated through password-protected multi-volume RAR archives that were downloaded directly from externally facing web servers.

“[We] believe that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” the Palo Alto Networks researchers added.

Related: CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch

Related: Port of Houston Target of Suspected Nation-State Hack

Related: U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.