Click any sentence to highlight it.

Welcome to Briefly
your tl;dr for the Internet

You can use Briefly to save content for yourself and to share across your social networks, including Twitter and LinkedIn. Your highlights contribute to organized feeds, curated by real people like you who care about the same topics.

Together we can build a better newsfeed!

More about Briefly.

Welcome to Briefly
your tl;dr for the Internet. About Briefly

Highlight and share articles

Build a better feed for yourself and others

U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day | SecurityWeek.Com
Problem with this article? Report
Tracked as CVE-2021-40539 and rated critical severity (CVSS score of 9.8), the vulnerability has been exploited since August 2021 to execute code remotely and take over vulnerable systems.
Affecting the representational state transfer (REST) application programming interface (API) URLs of the self-service password management and single sign-on solution, the issue is an authentication bypass bug that affects all ADSelfService Plus builds up to 6113.
"The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability," reads a joint advisory issued on Thursday.
Academic institutions, critical infrastructure (communications, finance, IT, logistics, manufacturing, transportation, and others), and defense contractors are at risk of compromise because of their use of ADSelfService Plus.
"Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files," the advisory reads.
An attacker able to successfully exploit CVE-2021-40539 can upload a .
zip archive containing a JavaServer Pages (JSP) webshell posing as an x509 certificate.
The attacker then leverages Windows Management Instrumentation (WMI) for lateral movement.
Adversaries also attempt to access domain controllers and expand access.
"Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult-the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell," the joint advisory reads.
The security defect was addressed in ADSelfService Plus build 6114 and customers are advised to update to it as soon as possible.
Furthermore, the FBI, CISA, and CGCYBER strongly recommend that organizations keep ADSelfService Plus disconnected from the Internet.
Previous Columns by Ionut Arghire: