US agencies released on Thursday a joint advisory to highlight the cyber threat associated with the active exploitation of a newly identified vulnerability in ManageEngine ADSelfService Plus, self-service password management and single sign-on solution.
APT cyber attackers have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors, including transportation, IT, manufacturing, communications, logistics, and finance. The illicitly obtained access and information may disrupt company operations and subvert U.S. research in multiple sectors, according to the alert.
The Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) have assessed that advanced persistent threat (APT) cyber hackers are likely among those exploiting the vulnerability, the alert said. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.
The ADSelfService Plus is an integrated Active Directory solution used both on-premises and cloud applications. It enables users to securely reset forgotten passwords, unlock accounts, update contact information, and subscribe or unsubscribe from mail groups on their own. It also synchronizes Active Directory password resets and changes across on-premises and cloud applications in real-time so that users can have one password to access all accounts while enabling password changes to adhere to the organization’s password policies.
The security alert said that exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult, as the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between the exploitation of the vulnerability and the webshell, it added.
Affected organizations have been asked to immediately report an incident to CISA or the FBI on the existence of any of the following, including identification of indicators of compromise, presence of webshell code on compromised ManageEngine ADSelfService Plus servers, unauthorized access to or use of accounts, evidence of lateral movement by malicious hackers with access to compromised systems, or other indicators of unauthorized access or compromise, the alert said.
FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations to ensure ADSelfService Plus is not directly accessible from the internet. The agencies are proactively investigating and responding to this malicious cyber activity, according to the alert.
The security alert said that the FBI is leveraging specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies.
CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors. CGCYBER has deployable elements that provide the cyber capability to marine transportation system critical infrastructure for proactive defense or response to incidents.
“Sharing technical and/or qualitative information with the FBI, CISA, and CGCYBER helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask and hold accountable, those conducting malicious cyber activities,” according to the alert.