ManageEngine ADSelfService Plus has been abused in the wild due to a zero-day vulnerability
ManageEngine ADSelfService Plus has been abused in the wild due to a zero-day vulnerability
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here.
An APT actor is attempting to exploit a zero-day vulnerability in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution that poses a high risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software. The FBI, CISA, and CGCYBER highly advise companies to ensure that ADSelfService Plus is not directly accessible via the internet. The Hive pro threat research team also recommends that ADSelfService be updated to version 6114.
The techniques used by the APT actor includes:
- T1190 – Exploit Public-Facing Application
- T1505.003 – Server Software Component: Web Shell
- T1027 – Obfuscated Files or Information
- T1140 – Deobfuscate/Decode Files or Information
- T1003 – OS Credential Dumping
- T1218 – Signed Binary Proxy Execution
- T1136 – Create Account
- T1003.003 – OS Credential Dumping: NTDS
- T1047 – Windows Management Instrumentation
- T1070.004 – Indicator Removal on Host: File Deletion
- T1087.002 – Account Discovery: Domain Account
- T1560.001 – Archive Collected Data: Archive via Utility
- T1573.001 – Encrypted Channel: Symmetric Cryptography
Vulnerability Details
Indicators of Compromise (IoCs)
Patch Link
References
