Advisory: Cyber Advisory sent by the New York State Cyber Intelligence Center, Cyber Analysis Unit
The message below and attachment provide technical information sent by the New York State Cyber Intelligence Center, Cyber Analysis Unit (NYSIC CAU) regarding an ongoing cyber vulnerability that allows a remote attacker to exploit this vulnerability and take control of an affected system.
Please share this information and consult with your Information Technology (IT)/staff or IT service provider as this may or may not apply to you.
For more information, please contact the NYSIC CAU at: (518) 786-2191 or CAU@nysic.ny.gov
On September 8, 2021, NYSIC CAU shared: The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and United States Coast Guard Cyber Command issued the following Joint Cybersecurity Advisory, APT Actors Exploiting Newly Identified CVE-2021-40539 in ManageEngine ADSelfService Plus.
UPDATE: This update is being provided as NYSIC CAU partners have recently engaged in an incident response capacity to support multiple critical infrastructure agencies in NYS where this vulnerability is actively being exploited. The below information is in addition to what is in the attached document and is being provided to further aid in mitigation and network defense.
Additional locations of known suspicious files:
Anything with a modified/created date after September 1st with a focus on *.js, *.jsp, *.cer, *.class files in the following locations:
- ManageEngine\ADSelfService Plus\bin
- A Webshell has been confirmed here (ws.jsp)
- A malicious class file has been confirmed here (s.class)
- This class file contained code to move the webshell to a publicly accessible folder so that it could be leveraged remotely.
Log evidence of attempted / successful exploitation:
- \ManageEngine\ADSelfService Plus\logs
- access_log).txt
- Directory traversal attempts to access the RestAPI (/./RestAPI or /../RestAPI) have been found here.
General Guidance for publicly accessible services / applications
- Ensure web services run as a restricted user
- Implement a routine patching cycle
- Implement Routine Vulnerability Scanning and mitigate findings
- Implement and monitor Web Application Firewalls
- Implement and monitor an Intrusion Detection System or Intrusion Prevention System
- Monitor update notifications from vendors specific to your organization
Attached please find the original bulletin. For your convenience you may click the thumbtack icon in the attached document in order to access the indicators of compromise listed to aid in network defense. The attachment allows copying and pasting.
For questions, please send an e-mail to debra.sottolano@health.ny.gov.
NYSHFA/NYSCAL CONTACTS:
Jackie Pappalardi, RN, BSN
Executive Director
518-462-4800 x16
Lisa Volk, RN, B.P.S., LNHA
Director, Clinical & Quality Services
518-462-4800 x15
