A suspected state-backed threat actor has attempted to break into the network of the Port of Houston, a major U.S. port, using a zero-day vulnerability in the Zoho ManageEngine ADSelfService Plus password management software, The Associated Press reported.
In a statement the Port of Houston said it was the target of a cyberattack in August and that “no operational data or systems were impacted as a result”. As of yet, no further details about the attack have been made available.
Last week, the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint alert warning that state-sponsored advanced persistent threat (APT) groups are actively exploiting the CVE-2021-40539 vulnerability in Zoho ManageEngine ADSelfService Plus.
This flaw allows a remote non-authenticated attacker execute arbitrary code on the system by sending malicious HTTP requests to REST API endpoints. The bug was fixed in Zoho ManageEngine ADSelfService Plus build 6114.
Threat actors have been exploiting the vulnerability as part of their attacks since August 2021, the security agencies said. The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities in transportation, IT, manufacturing, communications, logistics, and finance sectors.
CISA officials said they have not yet linked the attack against the Port of Houston to a specific APT or foreign government.
“Attribution can always be complicated in terms of being able to dispositively say who that threat actor is… But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable,” said CISA’s director Jen Easterly during a meeting of the Senate Homeland Security and Governmental Affairs Committee.
“So you're referring to something called ManageEngine AD Self Service Plus, which is this password management and single sign-on capability. We worked with the U.S. Coast Guard on a vulnerability at the Port of Houston and found out about this. To this point, in time, we see that the campaign thus far is limited, but we're continuing to work through it,” Easterly said.