Warning from US government agency urges prompt triage

Nation-state attackers are hammering ManageEngine vulnerability

Cyber-attackers have begun exploiting a newly discovered security vulnerability in ManageEngine, a self-service password management and single sign-on package.

A run of attacks on the CVE-2021-40539 vulnerability has prompted the US Cybersecurity and Infrastructure Security Agency (CISA), the US Coast Guard, and the FBI to push out a joint alert urging enterprises to apply recently released patches.

CVE-2021-40539 presents a critical authentication bypass risk affecting REST API URLs that could enable remote code execution”.

Echoes of SolarWinds

Worse yet, the flaws in the vulnerable ManageEngine ADSelfService Plus component pose a “serious risk to critical infrastructure companies” – not least because this sort of vulnerability is fodder for well-resourced state-sponsored attackers.

Although not mentioned in the CISA’s alert, the agency is clearly worried there’s a potential that the vulnerability could inflict damage comparable to that wrought via the infamous 2019-20 SolarWinds Orion flaws.

The SolarWinds vulnerabilities were the focus of supply chain attacks ultimately aimed at US government agencies and blamed on Russian government-backed attackers.

The CISA alert makes it clear that attacks based on the recently discovered ManageEngine vulnerability are already taking place across multiple targets in many sensitive industries:

APT cyber actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors – including transportation, IT, manufacturing, communications, logistics, and finance. Illicitly obtained access and information may disrupt company operations and subvert US research in multiple sectors.

The route to attack is already tried and tested. “Successful compromise of ManageEngine ADSelfService Plus, via exploitation of CVE-2021-40539, allows the attacker to upload a .zip file containing a JavaServer Pages (JSP) webshell masquerading as an x509 certificate: service.cer.

“Subsequent requests are then made to different API endpoints to further exploit the victim's system,” CISA added.

Read more of the latest cyber-attack news and analysis

Successful exploitation would allow an attacker to pop webshells, opening the door to all manner of malfeasance including, but likely not limited to, compromising administrator credentials, conducting lateral movement, and stealing system files.

Zoho, the firm that develops and markets ManageEngine technology, released updates on September 6.

Enterprise users should carry out triage on systems running the platform and either upgrade to ADSelfService Plus build 6114 (the best option) or keep earlier systems off the internet and check for potential indicators of compromise – assuming patching is not an immediate possibility.

The CISA alert offers a rundown on indications of compromise and other information designed to help sysadmins.

YOU MAY ALSO LIKE VPN users unmasked by zero-day vulnerability in Virgin Media routers