CISA
Critical infrastructure
Industries
Manufacturing
Medical
Mining, Oil & Gas
News
Transportation
Utilities: Energy & Power, Water, Waste

US security agencies alert on active exploitation of a vulnerability in ManageEngine ADSelfService Plus

September 17, 2021
ADSelfService Plus

US agencies released on Thursday a joint advisory to highlight the cyber threat associated with the active exploitation of a newly identified vulnerability in ManageEngine ADSelfService Plus, self-service password management and single sign-on solution. 

APT cyber attackers have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors, including transportation, IT, manufacturing, communications, logistics, and finance. The illicitly obtained access and information may disrupt company operations and subvert U.S. research in multiple sectors, according to the alert.

The Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) have assessed that advanced persistent threat (APT) cyber hackers are likely among those exploiting the vulnerability, the alert said. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. 

The ADSelfService Plus is an integrated Active Directory solution used both on-premises and cloud applications. It enables users to securely reset forgotten passwords, unlock accounts, update contact information, and subscribe or unsubscribe from mail groups on their own. It also synchronizes Active Directory password resets and changes across on-premises and cloud applications in real-time so that users can have one password to access all accounts while enabling password changes to adhere to the organization’s password policies.

The security alert said that exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult, as the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between the exploitation of the vulnerability and the webshell, it added.

Affected organizations have been asked to immediately report an incident to CISA or the FBI on the existence of any of the following, including identification of indicators of compromise, presence of webshell code on compromised ManageEngine ADSelfService Plus servers, unauthorized access to or use of accounts, evidence of lateral movement by malicious hackers with access to compromised systems, or other indicators of unauthorized access or compromise, the alert said.

FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations to ensure ADSelfService Plus is not directly accessible from the internet. The agencies are proactively investigating and responding to this malicious cyber activity, according to the alert.

The security alert said that the FBI is leveraging specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. 

CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors. CGCYBER has deployable elements that provide the cyber capability to marine transportation system critical infrastructure for proactive defense or response to incidents.

“Sharing technical and/or qualitative information with the FBI, CISA, and CGCYBER helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask and hold accountable, those conducting malicious cyber activities,” according to the alert.

 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings