SecPro#27: Zoho Exploit Detection with M365 Defender, DevSecOps for Cloud

Hey there,

In this issue, we’re joined by Joe Anich, Senior CE Incident Response at Microsoft. We discuss the detection and analysis of an exploit making the rounds affecting the Zoho ManageEngine ADSelfService Plus solution. Also pleased to share a brand new module focused on practical security recommendations for startups with limited budgets. Plus more bite-sized learning, including:

• Observing the Zoho ADSelfService Plus Exploit with M365 Defender
• DevSecOps for Cloud Infrastructure: Cloud Security Done Right
• Practical Resources for Startup Security Teams
• Recent Security Issues
• Secret Knowledge: Building Your Security Arsenal

Exploit Detection & Analysis

Exploit Detection with M365 Defender: Observing the Zoho ADSelfService Plus Exploit with M365 Defender

By Joe Anich

TL;DR: Security Researchers at Microsoft have detected exploits running in the Zoho ManageEngine ADSelfService Plus software versions. We discuss steps to monitor, detect, and remediate.

In the ever-growing and changing threat landscape, it seems like it’s a matter of minutes before the next exploit is at the forefront. One new one making its rounds is the exploit affecting the Zoho ManageEngine ADSelfService Plus solution, also known as CVE-2021-40539. The Zoho ManageEngine ADSelfService Plus is a cloud-based solution that helps manage password changes via a password synchronizer that coordinates changes made in AD to the users linked Zoho account. Check out the CVE link above to learn more about details and how the REST API was used to bypass security filters.

Security researchers at Microsoft have started seeing exploits being used to compromise systems running this software in what they see as a targeted campaign that was first noticed in September of this year. There were also great community contributions from teams like Palo Alto Unit 42 and Black Lotus Labs. More can be read about that in Microsoft’s public article here. Based on the tactics, techniques, and procedures observed, it is being attributed to DEV-0322, a group operating out of China. Some of the first targets were in the defense industry, higher education, consulting services as well as various information technology sectors.

Once systems were compromised with this attack, the threat actor starts performing several activities like credential dumping, installing custom binaries, dropping malware like IIS modules or trojans. This all is an effort to maintain persistence and move laterally around the environment. See the figure below for an example of that flow:

Exploit Detection with M365 Defender: CVE-2021-40539 Exploit Flowchart

Microsoft 365 Defender will correlate all activities related to this activity and group them into a single incident for you to track easier. You can also see a bird’s eye view of its prevalence in your environment from the Threat analytics page in the M365 Defender portal as seen in the figure below:

M365 Defender Portal, Threat Analytics

Exploit Detection with M365 Defender: Monitoring and Remediation

Microsoft perpetually monitors these activities to add protections for customers as they come across them. Let us outline some of those protections in place now.

1. First and foremost, patching should be a good baseline measure. Get your systems up to date both at the OS and application levels. Specifically, in this case, you should be ensuring you have the service pack update mentioned above in the CVE article by ManageEngine if you’re vulnerable.
2. Ensure Cloud-Delivered protection (MAPS) is enabled for Defender AV, or whatever your AV’s equivalent is to ensure you are getting real-time protections for new variants.
3. Enable EDR in Block Mode if you have Defender for Endpoint deployed in your environment. This gives you an extra layer of protection if Defender AV is primary, allowing it to take actions on post-breach EDR detections. If you’re running 3^rd party AV, it can leverage Defender AV in passive mode to remediate artifacts not detected by your primary AV.
4. If you are running Defender for Endpoint (MDE), Microsoft EDR solution, it is recommended to enable the Automated investigation and remediation capabilities to Full-automated mode. This allows MDE to take immediate action to resolve breach activity as well as reduce alert fatigue.
5. Another feature to enable if you are running Defender for Endpoint is Device discovery. This will help you find unmanaged devices in your environment so you can ensure they are brought under control and compliance.
6. Attack surface reduction rules should be a no-brainer, these are protections that often go un-talked about. Two rules as it pertains to this CVE are the below:
   • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
   • Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Of course, enable in Audit mode first to gauge its impact before you enable in Block mode. Once you get some rules enabled in either Audit or Block mode, you can head to the Reports page in the Microsoft 365 Defender portal and view the report of their results.
When it comes to the antivirus side of things, Defender AV detects these artifacts as the following pieces of malware. Check out each links on Exploit Detection with M365 Defender for more information.

• Trojan:MSIL/Gacker.A!dha
• Backdoor:MSIL/Kokishell.A!dha
• Trojan:Win64/Zebracon.A!dha

If you want to hunt for these activities further, there are provided queries that you can run in Microsoft Sentinel, those can be found in the following article concerning this CVE. On top of that, you’ll find a handful of IOCs in the form of SHA-256 hashes. Also read below on Exploit Detection with M365 Defender:

• Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus | Microsoft Security Blog| Microsoft (date accessed 11/08/2021)
• KdcSponge, NGLite, Godzilla Webshell Used in Targeted Attack Campaign | Palo Alto Networks (date accessed 11/08/2021)

DevSecOps 

DevSecOps for Cloud Infrastructure: Cloud Security Done Right
By Austin Miller

With the cloud computing market expected to grow to over $940 billion by 2026, building suitable cloud infrastructure and allocating the correct number of cloud resources is a top priority. But it is a difficult task for any security team.

DevOps practices are practically everywhere these days, but why are the same old security issues not being handled earlier in the SDLC (especially in the cloud!) when security teams are adopting better processes and better tools?

The truth is that development and operations teams still haven’t fully learned how to secure software and secure code. Creating secure apps takes much longer than agile needs allow when security teams have to pick up the slack when the cloud applications are already made. That’s why we need a revolution in the development world – a DevSecOps revolution.

What You’re Doing Wrong (Possibly)

Here’s a flashback to 2002:

DevOps culture needed better security checks almost 2 decades ago!

Cloud operations are getting more complex every year, but we are still facing the same kinds of security vulnerabilities from the start of the Millenium. Why don’t agile teams integrate security earlier in the development process? Failing to do so causes problems for teams, for example:

• Finding an easily preventable but fatal flaw in the pre-production security check
• Relying on code that was found insecure in previous projects
• Ad-hoc changes causing issues for compliance

These are all avoidable through better DevSecOps practices and shifting left.

Shift Left, Then Shift Left Again

If you’ve ever worked with an application development team, you’ll probably have heard this idea of “shifting security left” – that is, moving security controls earlier in the software development pipeline.

Take your standard DevOps pipeline. (Reference: Quartech). Do you see “check for vulnerabilities”? Me neither.

In a conventional CI/CD software development lifecycle, a security team will look over the code pre-deployment. Now let’s integrate security:

Source: Geekflare

Now we have: Collective responsibility for security, Reflexive security, and Infrastructure-as-Code (IaC). These factors harden the pipeline and involve security professionals from the get-go. Remember, identifying bugs earlier on saves time and money – why wouldn’t you want pre-emptive defenses?

Integrating Security Controls in the Cloud

The path to DevSecOps isn’t an easy one but using automated and command-line tools will help you refine DevOps processes to be more secure and augment developer workflows with integrated tools and better information security management.

• Understanding Weaknesses

Learning to pentest your own system is the best way to understand the adversary. You will need different tools depending on the type of project that you are working with, but using tools such as The PenTesters Framework will give you everything you need to break down your own defenses. The CISO and their team shouldn’t do this alone. Security is everyone’s responsibility – automating alerts and augmenting existing workflows is key to changing the culture in your entire team.

• Version Control

Understanding threats means understanding when the threat came in. Just like software developers manage the version they are using, security teams should too. With better configuration management, security professionals will see the exact weakness that leads to a breach.

• IaC Hardening

IaC already works with DevOps cloud production, but security experts lending their expertise to cloud architects is the best way to make the IaC structure more secure. Because clouds quickly become unmanageable, greater consistency and less configurational drift come through automating your cloud defenses. Different cloud providers need different tools, such as AWS CloudFormation, Azure Resource Manager, or Google Cloud Deployment Manager. Learning to manage your cloud’s needs is key to successful defenses.

• Secure Development

The whole point of DevSecOps is to make the development process more secure and to stop issues from reaching the operations stage. Using secure cloud-native applications is the best way to secure your DevOps environment.

How do I do that? By loading up images through Kubernetes and Docker which have been tested as well as using IaC platform tools such as BridgeCrew to harden your defenses.

• Finding Left-Side Tools

Along with the excellent tools that are listed above, here are some free tools that you can use to improve your DevSecOps culture.

• Spectral is a tool for scanning and monitoring your on-premises and cloud infrastructures and Alerta does the same job if you prefer open-source solutions.
• ShiftLeft is, as the name suggests, a toolkit for moving security left in the pipeline. All tools are open-source and it comes with a free plan of up to 200,000 lines of code and 300 scans per year which is enough for many small organizations.
• Apiiro uses artificial intelligence to automatically scan your infrastructure and learn about vulnerabilities and issues through historical behaviors.

How Can I Develop a DevSecOps Culture?

Recognizing the weaknesses in a DevOps culture and integrating ways to integrate security tools as far left as possible is the first step. Continuous integration/continuous developer tools have had a huge impact on DevOps workforces, so why not the DevSecOps process too?

Encouraging a culture of security-minded developers, operations workers, managers, and the security team itself is the best way to start shifting security left. By integrating open-source and commercial tools, you can transform your operation into a modern, secured DevSecOps culture.

Practical Resources for Startup Security Teams 

Practical Security Recommendations for Start-ups with Limited Budgets  – Startups have a rare opportunity to ‘bake’ security in at the start of a project, but this is often seen as an expensive endeavor. This post aims to ease that fear and provide practical (and inexpensive) advice for start-ups. Highlights include:

• How to use a password manager and 2FA
• How to centralize all logging, have a bug bounty program, and more!

A Practical Guide to Continuous Compliance for Your Cloud Infrastructure – An eBook from Cloudrail that outlines a 5-step journey to achieve continuous compliance without sacrificing speed.

How to Estimate Costs of a Security Incident – A casually defensible forecast of breach impact to a real company’s revenue using approximation methods. This helps us tailor a measurement of breach impact to our specific organizations to help us find better efficiency in all aspects of risk management. Another super interesting essay from the author on How to Estimate Legal Costs from a Security Data Breach.

Recent Security Issues 

Scanning Millions of Publicly Exposed Docker Containers: RedHunt Labs scanned over 6 million unique public repos on Docker Hub. These are the findings:

• The most common secret type was username/password to clone git repos.
• The top 5 exposures in Docker images include hard-coded secrets.

Emotet Resurfaces on the Back of TrickBot After a Year: Emotet, one of the most prolific and disruptive botnet malware-delivery systems, appears to be making a comeback after nearly a year of inactivity.

 CISA: ICS Equipment Advisory: The US Cybersecurity and Infrastructure Security Agency (CISA) has released an ICS advisory urging admins to install updates to address “vulnerabilities found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.”

Secret Knowledge: Building Your Security Arsenal

Discover useful security resources, cheatsheets, hacks, and open-source CLI/web tools.

New & Trending 

jtesta/ssh-audit – An SSH server & client auditing tool: banner, key exchange, encryption, mac, compression, compatibility, security, etc.
aidansteele/cloudkey – Quickly clone an entire org/users repositories into one directory. Supports GitHub, GitLab, Bitbucket, and more.
RUB-SysSec/nyx-net –  A fast full-VM snapshot fuzzer for complex network-based targets. It can fuzz a wide range of targets spanning servers, clients, games, etc.

Network 

Etherate – is a Linux CLI-based Ethernet and MPLS traffic testing tool.
aria2 – is a lightweight multi-protocol & multi-source command-line download utility.
iptraf-ng – is a console-based network monitoring program for Linux that displays information about IP traffic.

Search Engines 

Censys – a platform that helps information security practitioners discover, monitor, and analyze devices.
GhostProject? – Search by full email address or username.
IntelligenceX – is a search engine and data archive.

The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.