Cybersecurity firm Palo Alto Networks has warned of an ongoing campaign that resulted in at least nine critical organizations worldwide including defense, healthcare, energy, tech and education to be compromised. The threat actors behind this campaign exploited a vulnerability in Zoho’s enterprise password management solution known as ManageEngine ADSelfService Plus which allows remote execution code on unpatched systems. The attackers also used KdcSponge, a malware known to steal credentials, which access the Windows LSASS API function to capture credentials (domain names, usernames and passwords). Needless to say, this is far from trivial. In fact it is downright dangerous.
Yariv Shivek, VP of Product, Neosec had this to say:
“Service exploitation is always best mitigated by WAF and NGAV solutions. However, no security control is infallible, and when those controls are not present, or fail to detect and block the attacks, compensating controls better be in place.”
“In this case, an attack against a ManageEngine‘s REST API started with the exploitation of a zero-day authentication bypass vulnerability. Having gained full access to the API, the attackers had a much larger attack surface to work with. They found other vulnerable API endpoints that allowed for arbitrary file writes and command injection, and by chaining all 3 together managed to drop in webshells and proceed to completely take over the servers running the vulnerable API implementation, pivoting from them into the victims’ networks.”
“This pattern is not unique – signature matching is inherently useless against zero-day attacks for which no signature exists.”
“Thus, when developing your own APIs – test them for security vulnerabilities; when deploying them in production – monitor their usage to detect any anomalous behavior.”
“And remember: Anomaly detection often prevails where signatures fail.”
If you’re a Zoho user, consider yourself warned.
Like this:
Like Loading...
Related
This entry was posted on November 9, 2021 at 11:49 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Attackers Exploit Zoho Vulnerability & Access Windows LSASS API
Cybersecurity firm Palo Alto Networks has warned of an ongoing campaign that resulted in at least nine critical organizations worldwide including defense, healthcare, energy, tech and education to be compromised. The threat actors behind this campaign exploited a vulnerability in Zoho’s enterprise password management solution known as ManageEngine ADSelfService Plus which allows remote execution code on unpatched systems. The attackers also used KdcSponge, a malware known to steal credentials, which access the Windows LSASS API function to capture credentials (domain names, usernames and passwords). Needless to say, this is far from trivial. In fact it is downright dangerous.
Yariv Shivek, VP of Product, Neosec had this to say:
“Service exploitation is always best mitigated by WAF and NGAV solutions. However, no security control is infallible, and when those controls are not present, or fail to detect and block the attacks, compensating controls better be in place.”
“In this case, an attack against a ManageEngine‘s REST API started with the exploitation of a zero-day authentication bypass vulnerability. Having gained full access to the API, the attackers had a much larger attack surface to work with. They found other vulnerable API endpoints that allowed for arbitrary file writes and command injection, and by chaining all 3 together managed to drop in webshells and proceed to completely take over the servers running the vulnerable API implementation, pivoting from them into the victims’ networks.”
“This pattern is not unique – signature matching is inherently useless against zero-day attacks for which no signature exists.”
“Thus, when developing your own APIs – test them for security vulnerabilities; when deploying them in production – monitor their usage to detect any anomalous behavior.”
“And remember: Anomaly detection often prevails where signatures fail.”
If you’re a Zoho user, consider yourself warned.
Share this:
Like this:
Related
This entry was posted on November 9, 2021 at 11:49 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.