A vulnerability in a self-service password management and single sign-on solution used by 11,000 companies has led to network compromises in at least nine organizations across the globe, underscoring the risks of failing to quickly patch Internet-connected infrastructure.
Since mid-September, a group of cyberattackers has scanned the Internet for potentially vulnerable servers running Zoho's ManageEngine ADSelfService Plus password reset management program, after the software developer and cloud service provider patched an authentication-bypass vulnerability on Sept. 6. Once the attackers successfully compromised the vulnerability, they installed two or three other attack tools to retain persistent access on the network and gather credentials from the Active Directory server, researchers at Palo Alto Networks stated in an analysis posted on Nov. 7.
Any company that uses Zoho ManageEngine ADSelfService Plus should check to make sure that no evidence of a compromise exists, says Ryan Olson, vice president of threat intelligence for Palo Alto Networks' Unit 42 threat intelligence team.
"If you were compromised to that level and then you just patched the vulnerability, they are already stealing all the passwords off your Active Directory server," he says. "You may think you cleaned it up, but you are still thoroughly owned, so if you identify any of the [indicators of compromise] in our report, you need to do a full [incident response'."
The attack targeting the Zoho ManageEngine vulnerabilities is just the latest attack that relied on exploiting an Internet-facing vulnerability.
For the past three years, attackers have focused on vulnerabilities in Internet-facing virtual private networking (VPN) appliances and software as their launching point for attacks. In March, Chinese threat groups focused on four security issues in Microsoft's Exchange Server 2000 to breach company networks. And in July, Russian and Ukrainian cybercriminals used a zero-day vulnerability in Kaseya Virtual System Administrator (VSA) servers to compromise dozens of companies, including managed service providers, leading to the compromise of as many as 1,500 organizations.
The trend has underscored the danger of not staying on top of patching for these Internet-facing systems, especially as remote work has expanded during the coronavirus pandemic, pushing more infrastructure into the cloud, where it can be accessed over the public Internet, Olson says.
"When an attackers identify a new vulnerability, and they can exploit it, and people are not patching, they start scanning to find vulnerable systems so they can walk through that front door that was left open," he says. "Any of these application that are Internet facing, you need to stay so much on top of in patching them because they are a really fast way for an attacker to exploit and compromise networks."
Zoho fixed the ManangeEngine ADSelfService Plus authentication-bypass vulnerability (CVE-2021-40539) and notified users on Sept. 6, but within 10 days attackers were already scanning for the critical security issues, according to a warning issued by the FBI, US Coast Guard Cyber Command (GCCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA).
More than 11,000 instances of the server software is accessible via the Internet, and at least 370 instances are active in the United States, according to Palo Alto Networks' analysis.
On compromised systems, the attackers moved quickly to install a publicly available Web shell, known as Godzilla, as well as — in some cases — a backdoor program, NGLite, a custom backdoor program written in the Go language and available on GitHub. Finally, the attackers used a new program that Palo Alto Networks called KdcSponge, which harvests credentials.
"KdcSponge will capture the domain name, username and password to a file on the system that the threat actor would then exfiltrate manually through existing access to the server," the analysis stated.
While Zoho issued the original patch two months ago, Palo Alto Networks' Olson worries that many companies are still vulnerable. "Zoho fixed the issue, but companies have to update to get the patch and not everyone does that right away," he says.
Companies should patch the issue, if they have not already, and then conduct an incident response investigation, because if the attackers already gained access, patching will not secure a company's network, says Olson.
Palo Alto Networks continues to see scanning for the issue.
"The findings underscore the need for organizations to quickly respond to disclosures of critical vulnerabilities by installing patches and taking other precautions to block attacks," the company said in a statement. "This is especially the case for high-value targets in critical sectors that are constantly being probed for vulnerabilities."