ioc[.]one - OSINT Cyber Threat Intelligence Database

APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus | CISA

Tags

cmtmf-attack-pattern:	Masquerading
country:	United States Of America
maec-delivery-vectors:	Watering Hole
attack-pattern:	Archive Via Utility - T1560.001 Credentials - T1589.001 Domain Accounts - T1078.002 Exploits - T1587.004 Exploits - T1588.005 File Deletion - T1070.004 Masquerading - T1655 Ntds - T1003.003 Software - T1592.002 Symmetric Cryptography - T1573.001 Web Shell - T1505.003 Tool - T1588.002 Create Account - T1136 Credential Dumping - T1003 Deobfuscate/Decode Files Or Information - T1140 Exploit Public-Facing Application - T1190 Masquerading - T1036 Obfuscated Files Or Information - T1027 Signed Binary Proxy Execution - T1218 Windows Management Instrumentation - T1047 Masquerading

Show in Graph

Common Information

Type	Value
UUID	d94596d1-bafb-47e3-b104-9f9fb2870f29
Fingerprint	651401133773b621
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 16, 2021, midnight
Added to db	Sept. 11, 2022, 12:33 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Alert (AA21-259A)
Title	APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus \| CISA
Detected Hints/Tags/Attributes	84/4/39

Source URLs

	Redirection	Url
Details	Source	https://us-cert.cisa.gov/ncas/alerts/aa21-259a

URL Provider

Details	Provider	Source level domain
Details	cisa.gov	us-cert.cisa.gov

Attributes

Details	Type	#Events	Value
Details	CVE	67	cve-2021-40539
Details	Domain	128	www.fbi.gov
Details	Domain	56	fbi.gov
Details	Domain	152	cisa.gov
Details	Domain	2	uscg.mil
Details	Email	29	cywatch@fbi.gov
Details	Email	4	central@cisa.gov
Details	Email	1	nrc@uscg.mil
Details	File	1	service.cer
Details	File	2	reportgenerate.jsp
Details	File	1	c:\manageengine\adselfservice plus\webapps\adssp\help\admin-guide\reports\reportgenerate.jsp
Details	File	1	c:\manageengine\adselfservice plus\webapps\adssp\html\promotion\adap.jsp
Details	File	3	1.key
Details	File	1	c:\manageengine\adselfservice plus\webapps\adssp\certificates\selfservice.cs
Details	File	1	c:\manageengine\adselfservice plus\bin\service.cer
Details	File	1	c:\users\public\custom.txt
Details	File	1	c:\users\public\custom.bat
Details	File	1	adap.jsp
Details	File	240	wmic.exe
Details	File	1	pg_dump.exe
Details	File	6	uscg.mil
Details	sha256	1	068d1b3813489e41116867729504c40019ff2b1fe32aab4716d429780e666324
Details	sha256	1	49a6f77d380512b274baff4f78783f54cb962e2a8a5e238a453058a351fcfbba
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	104	T1505.003
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	289	T1003
Details	MITRE ATT&CK Techniques	121	T1218
Details	MITRE ATT&CK Techniques	86	T1136
Details	MITRE ATT&CK Techniques	67	T1003.003
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	116	T1560.001
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	Deprecated Microsoft Threat Actor Naming Taxonomy (Groups in development)	11	DEV-0322
Details	Url	3	https://www.fbi.gov/contact-us/field-offices
Details	Yara rule	1	rule ReportGenerate_jsp { strings: $s1 = "decrypt(fpath)" $s2 = "decrypt(fcontext)" $s3 = "decrypt(commandEnc)" $s4 = "upload failed!" $s5 = "sevck" $s6 = "newid" condition: filesize < 15KB and 4 of them }
Details	Yara rule	1	rule EncryptJSP { strings: $s1 = "AEScrypt" $s2 = "AES/CBC/PKCS5Padding" $s3 = "SecretKeySpec" $s4 = "FileOutputStream" $s5 = "getParameter" $s6 = "new ProcessBuilder" $s7 = "new BufferedReader" $s8 = "readLine()" condition: filesize < 15KB and 6 of them }