The dangers of vendor shortcuts!
Installers are hard to write. They generate a lot of customer support calls and seem to always need tweaking to support unforeseen or new customer environments. But installers fulfill several, important functions.
Obviously, software needs to get installed and configured. In addition, the installation process usually established the security context for many products. However, both vendors and customers encounter both a learning curve, and common pitfalls in many cases.
When security and core infrastructure is involved, this is a dangerous space to take shortcuts. For example, consider a Windows centric environment. Most companies recognize the install base and huge potential customer base. But some companies lack the domain expertise. Not knowing the Microsoft ecosystem, and basically in the “fake it before you make it” phase, they may simply wrap a Linux tool with a UI. All’s good, right? Looks like a Windows app, but no need to invest in the cross training and support a new development platform. (An example of this is Manage Engine’s AD Tools).
For example, one might build an Active Directory management tool using Linux as the deployment platform. Simply run the application in a Linux VM supporting Windows workloads. But, while the products look like a Windows solution, from a security standpoint, it is a Linux solution, with Linux vulnerabilities, hiding this from management tools.
For most almost all enterprises, Active Directory holds the keys to the kingdom. As such, It will be highly telemetered and monitored. But, if these tools are not secure, neither is the Active Directory instance.
Recently, an exploit leveraging Log4J – an integral component to Apache – appeared as a zero day. This m Meanings if any product utilizing Log4J on your network has elevated permissions then – your core infrastructure, identities, credentials and defenses are potentially compromised.
If the product in question is a management tool, holds elevated credentials, or can control configuration and monitoring – immediate action is required. This requires going to the AD logs and log aggregators to perform the a thorough forensic investigation. Examine network logs and event logs. DO NOT USE ANY SUCH PRODUCT TO PERFORM THESE TASKS. Having a product that provides real time alerts of all changes to the Active Directory is essential for security, for instance CionSystems Active Directory Change alerter/notifier that has the ability trap ‘all’ changes and send real time alerts.
Once an intruder can access Active Directory at this level, the impact is potentially catastrophic. Via Accounts in Active Directory, and the products service accounts, the threat actor will likely have access to credentials used by network tools, intrusion detection, log aggregators, and other core infrastructure. They will also be able to cover their trail and inject hacking tools, such as MimiKatz, into the environment. A recent example of CVE-2021-44228 which pertains to vulnerabilities in Apache Log4j. This is something any customer using a vendor supplied VM should investigate, thoroughly.
Lastly, do not assume applying a vendor fix is all that is required. These attacks are usually tools used to potentiate APT’s (Advanced Persistent Threats). This means a fix needs to be combined with ongoing forensics, removal of problematic products, and retrospective log analysis.
Note: Since the initial writing of this paper in early December, the scope and impact of CVE-2021-44228 has become apparent. Threat actors are using this vulnerability to potentiate attacks, and it is proving surprisingly damaging. In particular, ZD has noted:
“The FBI’s cyber division has issued an alert warning enterprises using Zoho-owned ManageEngine’s Desktop Central that advanced attackers have been exploiting a flaw to install malware since late October.”
From: https://www.ic3.gov/Media/News/2021/211220.pdf