Nation-State Hackers Strike Again (Almost)


As many of our regular readers know, we have written extensively on the need to protect our nation's critical infrastructure from cyber criminals. Just over the past few months, we've reported extensively on the dangers we face from criminals and state-sponsored hackers.

News reports from this week told the story of how an attempt to hack another vital piece of critical infrastructure, the Port of Houston, was thwarted.

The global economy is highly dependent upon each nation’s systems of ports, and this has been true since humans began to trade with one another. Many ports today are massive and complex logistics and supply chain distribution systems, often with combined ship, rail, road and air routes converging in one location. The Port of Houston is one of the world's largest ports, located in the fourth-largest city in the United States. It is the 2nd busiest port in the USA, with about 230 million tons of cargo passing through it each year.

A disruption to a major piece of critical infrastructure such as the Port of Houston can have major repercussions, not just in the United States, but the world.

Details of the hacking attempt on the Port of Houston have begun to be reported by the press and government agencies. We can begin with a statement released by the Port Authority of Houston:

“The Port of Houston Authority (Port Houston) successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.”

We learned more about the origins of the thwarted hack attempt from a Senate Homeland Security and Governmental Affairs Committee meeting this week. US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly confirmed to lawmakers that the attempted hack resulted from a newly discovered vulnerability in ManageEngine ADSelfService Plus, a password management service.

CISA issued an alert entitled APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus and provided the following details:

“CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”

How to Remediate the ManageEngine Vulnerability

Fortunately, CISA has also provided guidance on how to remediate this vulnerability:

“Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes CVE-2021-40539. FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations to ensure ADSelfService Plus is not directly accessible from the internet.”

Protecting critical infrastructure is vital to our nation’s security and the global economy. Automox recommends following CISA guidelines and immediately updating any instance of ManageEngine ADSelfService Plus to build 6114.



About Automox IT Operations

Today’s IT leaders deserve better than tedious legacy tools to manage their infrastructure. From our single cloud-native platform, automate and scale your IT operations to meet the growing business demands of the modern workforce. With complete visibility of your entire environment, you can easily monitor, identify, and respond to issues in real-time across any endpoint, regardless of OS or location.

Demo Automox to see how you can immediately gain effortless command of your endpoints.