A joint advisory has been released by the FBI, CISA, and CGCYBER regarding the active exploitation of a newly identified vulnerability (CVE-2021-40539). The flaws exist in self-service password management and single sign-on solution ManageEngine ADSelfService Plus. The flaw is being exploited by nation-state hackers.
What has happened?
According to the advisory, APTs have already abused this flaw to target defense contractors, academic institutions, and manufacturing, communications, logistics, IT, finance, and transportation infrastructure.
Successful exploitation of the vulnerability leads to the placement of web shells to compromise administrator credentials, perform lateral movement, and steal registry hives and Active Directory files.
Since August, the vulnerability is being exploited and attackers are writing web shells to disk for persistence, obfuscating files or info, and further operations to dump user credentials.
Some attackers have abused the flaw to add/delete user accounts, steal copies of the Active Directory database, delete files to remove indicators, and use Windows tools to collect/archive files.
According to CISA, nation-state hackers are abusing the vulnerability to upload a .zip file with a JavaServer Pages (JSP) web shell pretending to be an x509 certificate: service.cer.
After that, more requests are being made from various API endpoints to exploit the victim's system. After initial abuse, /help/admin-guide/Reports/ReportGenerate[.]jsp is used to access the web shell.
The attacker tries to move laterally with WMI, obtain access to a domain controller, dump NTDS[.]dit and SECURITY/SYSTEM registry hives, and continue on with the compromise.
Additionally, the attackers run clean-up scripts to remove evidence of the entry point of infection and hide any connection between the web shell and exploitation of the vulnerability.
Since APT groups are already abusing the recently discovered flaw, ManageEngine users should apply patches as soon as possible to avoid getting compromised. Moreover, organizations are suggested to baseline the normal behavior in web server logs to spot a web shell when deployed.