Photo by dogherine on Unsplash

No Place for Unpatched Systems

Zoho's software users waited too long to patch

By Jason Chavarría | November 17, 2021 | Category: Attacks

Threat actors are busy exploiting a known vulnerability in Zoho’s password management service ManageEngine AdSelfService Plus. Not surprisingly, this is a vulnerability for which a patch was made publicly available on September 6. However, some users and administrators have not made the necessary update, so this vulnerability is still being exploited these days.

Attackers found an open door

The vulnerability that’s the subject of this post is known as CVE-2021-40539. The Common Vulnerability Scoring System (CVSS) has rated it as critical, given that systems that have missed the update have been exposed to remote code execution. We explained this risk in a previous post. It means unpatched systems would allow internal or external attackers to trigger unexpected actions remotely (e.g., deploy malware, archive files).

ManageEngine released a flowchart revealing the CVE-2021-40539 exploit analysis (see Figure 1), along with instructions on how to fix the vulnerability. According to their analysis, the attackers gained access equivalent to an authenticated user without the authentication procedure ever having taken place. To do this, they used a URL. So, rather than using valid credentials, they entered a specially crafted path that permitted them to avoid the authentication check. Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the Federal Bureau of Investigation (FBI) and the United States Coast Guard Cyber Command (CGCYBER), investigated the tactics, techniques and procedures used by threat actors exploiting ManageEngine’s vulnerability. The CISA published this information in an alert on September 16.

Exploit analysis flow chart
Figure 1. CVE-2021-40539 exploit analysis flowchart. Source: manageengine.com.

Once they gained access to the system, the threat actors were able to do several modifications. For example, they removed accounts but also created their own to have credentials at their disposal. They could also remove indicators, such as traces of software they installed, to avoid something giving them away. They frequently used web shells, that is, web scripts that allowed them to use the web server as a gateway into the network. This way, they could establish persistent access to the systems. Importantly, threat actors were able to steal credentials, gain access to domain accounts and archive files for exfiltration.

In the advisory, users and administrators were urged to apply the patch. We will see that some remained unaware of the risk.

No-patch November

The attacks continued even after the advisory was posted. Researchers at Palo Alto Networks' Unit 42 reported that threat actors compromised networks of at least nine organizations in the sectors of education, technology, defense, healthcare and energy between September and October. They believe the attacks targeted at least 370 servers in the US. However, they say that the events following the CISA advisory belong to a different campaign to the one described above.

This time, the threat actors deployed publicly downloadable programs to maintain access and anonymity. Respectively, a web shell called Godzilla and a Trojan named NGLite. They also used KdcSponge, a password-stealing tool that injects itself into the Local Security Authority Subsystem Service (LSASS) process, where the system generates and stores a variety of credential materials. There, the tool collected usernames and passwords.

The Microsoft Threat Intelligence Center (MSTIC) attributed this recent campaign to DEV-0322, based on the pattern of their attacks, including their procedures and victims. It is worth mentioning that MSTIC gave the threat actors that name. As they explain, they use "DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity."

MSTIC first observed this new campaign on September 22. They listed three malicious activities that characterize the attacks. One of them is credential dumping. The threat actors occasionally deployed a tool, which they called elrs.exe in their code. This tool can read security events and collect domains, usernames and IP addresses. Another characteristic is that, after gaining credentials, the threat actors installed malicious components that extend the functionality of the server. So, for example, by executing commands through new components, the threat actor could observe incoming authentication credentials and harvest them. These could then be encoded and written in a file. Lastly, the threat actors deployed a Trojan that Microsoft is calling "Zebracon." This malware can make connections to compromised email servers to search through, read and send emails.

Deal with software vulnerabilities right now!

As we explained in a previous post, it’s important to keep your software components updated and be aware of their vulnerabilities. The risk of exploitation is ever so present, as we learned that the incident rate of using vulnerable and outdated components augmented between the recent OWASP Top 10 and its predecessor.

Admittedly, the process of handling vulnerabilities on your own may be overwhelming. A recent post in Security Intelligence suggests that the reason for this is that the sum of detected vulnerabilities can amount to hundreds of thousands. That is why you may want a helping hand. This is where Fluid Attacks comes in. We aim to find the vulnerabilities in your software and report them to you asap. After finding out which are your vulnerabilities, you can start to handle those nearest to mission-critical tasks. All this before malicious actors get their way in. Of course, we perform reattacks to check whether the vulnerabilities we found in your software have been successfully remediated.

Interesting, right? Contact us and learn a lot more about our Continuous Hacking service!