First, the good news: ManageEngine patched a vulnerability in its Active Directory-related management software earlier this year. The bad news: Hackers leveraged the vulnerability to launch a cyberattack campaign against at least nine global organizations in late September and early October of 2021, according to Palo Alto Networks.
ManageEngine ADSelfService Plus self-service password management and single sign-on solution (SSO) solution. Concern about the platform surfaced on September 16, when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert to warn organizations that advanced persistent threat (APT) actors were exploiting ADSelfService Plus vulnerabilities.
As early as September 17, a threat actor used leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet, Palo Alto Networks noted. From here, the actor initiated exploitation attempts starting on September 22 across organizations in the technology, defense, healthcare, energy and education industries.
Furthermore, the threat actor uploaded a malicious payload onto victims' networks, Palo Alto Networks said. This allowed the actor to run commands and move laterally to other systems on victims' networks and exfiltrate files.
The threat actor also used the KdcSponge credential-stealing tool as part of the campaign, Palo Alto Networks reported. KdcSponge injects itself into a Local Security Authority Subsystem Service process and gathers usernames and passwords from accounts attempting to authenticate to a domain via the Kerberos network authentication protocol.
How Can Organizations Guard Against ADSelfService Plus Cyberattack Campaign
CISA offered the following recommendations to help organizations identify ADSelfService Plus indicators of compromise (IOCs) within their networks:
- Update to ADSelfService Plus build 6114.
- Verify that ADSelfService Plus is not directly accessible from the internet.
- Use domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the NTDS.dit file was compromised.
In addition, organizations should notify CISA or the FBI if they find the presence of webshell code on compromised ADSelfService Plus servers, unauthorized access to or use of their accounts, evidence of lateral movement by malicious actors with access to compromised systems or other IOCs.