CVE-2024-0252  – IN THE REALM OF CYBERSECURITY, THERE IS NO REST FOR THE WEARY.

by | Jan 29, 2024

As the echoes of a 2023 fade, there’s barely a moment to catch our breath. 2024 has dawned with a brisk reminder: in the realm of cybersecurity, there is no rest for the weary. The new year greets us not with respite but with yet again, a fresh set of challenges as cyber attackers continually evolve, exploiting security gaps with relentless zeal. In this unceasing game of cat and mouse, the recent discovery of CVE-2024-0252 serves as a stark reminder – we must remain ever vigilant, for the cyber adversaries never sleep, and neither should we.

The CVE-2024-0252 Vulnerability: A ManageEngine Weak Spot

CVE-2024-0252 opens a dangerous door for attackers, allowing authenticated users to execute remote code on systems where ADSelfService Plus is installed. 

CVE-2024-0252 exposes a flaw in this software that could be exploited by someone who already has a certain level of access (authenticated user). Specifically, it allows them to execute remote code on the system running ADSelfService Plus, opening up avenues for more significant security breaches. For instance, an attacker exploiting this flaw could potentially gain deeper access into the organization’s network, compromise sensitive data, or disrupt critical IT systems.

What is ManageEngine ADSelfService Plus?

ManageEngine ADSelfService Plus is a comprehensive self-service password management and single sign-on solution. It’s typically used in business environments to allow employees to perform certain IT tasks themselves, such as resetting forgotten passwords or unlocking their accounts. By automating these processes, it reduces the workload on IT staff and improves user experience and productivity.

Mythic Platform Misuse: A Double-Edged Sword

During our analysis, we discovered an alarming connection between the malware sample and the Mythic platform. Mythic, known for its collaborative and intuitive interface for red teaming, is built using GoLang, Docker, and Docker-compose. While designed for legitimate cybersecurity testing, its ease of use has, unfortunately, attracted malicious actors. This trend of repurposing security tools for malevolent objectives is a growing concern, blurring the lines between safeguarding and exploiting vulnerabilities.

The sample can be further inspected here  

A Deep Dive into the Malware’s Tactics

The sophistication of this malware sample is evident in its use of advanced tactics and techniques. Analyzing the sample, available on VirusTotal, reveals the complexity of its design, including obfuscation and evasion strategies. The malware utilizes a range of methods mapped in the MITRE ATT&CK framework, such as Native API Execution, Obfuscated Files or Information, and System Network Configuration Discovery.

Execution
ATT&CK IDNameTacticsDescription
T1106Native APIExecutionAdversaries may interact with the native OS application programming interface (API) to execute behaviors. Learn more 
Defense Evasion
ATT&CK IDNameTacticsDescription
T1027Obfuscated Files or InformationDefense EvasionAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. Learn more 
T1497Virtualization/Sandbox EvasionDefense EvasionAdversaries may employ various means to detect and avoid virtualization and analysis environments. Learn more 
Discovery
T1140Deobfuscate/Decode Files or InformationDefense EvasionAdversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. Learn more 
T1480Execution GuardrailsDefense EvasionAdversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Learn more 
Discovery
ATT&CK IDNameTacticsDescription
T1016System Network Configuration DiscoveryDiscoveryAdversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Learn more 
T1083File and Directory DiscoveryDiscoveryAdversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Learn more 
T1049System Network Connections DiscoveryDiscoveryAdversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Learn more 
T1497Virtualization/Sandbox EvasionDefense EvasionAdversaries may employ various means to detect and avoid virtualization and analysis environments. Learn more 
Discovery
Command and Control
ATT&CK IDNameTacticsDescription
T1071Application Layer ProtocolCommand and ControlAdversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Learn more 
T1095Non-Application Layer ProtocolCommand and ControlAdversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. Learn more 
T1573.001Symmetric CryptographyCommand and ControlAdversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Learn more [MG1] 

The Prevalence and Impact

The prevalence of CVE-2024-0252 is not just a theoretical concern but a real-world threat. The statistics on exposed servers and the vulnerability’s exploitation rate emphasize the urgency for organizations to reassess their exposure and fortify their defenses. For a comprehensive understanding of the threat landscape and timely patching recommendations, CISA’s vulnerability summary offers invaluable insights (CISA).

Source – CVE-2024-0252

On the screenshots below, we can see numerous instances of servers exposed to ADSelfService. This exposure means that without the necessary remediation, these servers are susceptible to exploitation through CVE-2024-0252. The exact figures and locations of these vulnerable servers provide a tangible perspective on the potential reach of this security flaw.

Conclusion: Embracing Proactivity in Cybersecurity

2024’s emerging threats, such as CVE-2024-0252, are a reminder of the dynamic and challenging nature of cybersecurity. To navigate this landscape effectively, organizations must be disciplined, continuously monitoring their security controls and correlating them with intelligence feeds to stay ahead of potential threats. This integration is crucial for maintaining an accurate understanding of the security landscape and the in-house security configuration and ensuring that misconfigurations are met head-on to reach maximum effectiveness and adaptability to new challenges. The ultimate goal is to create a security posture that is not only reactive to exposures but also predictive and preventative. This involves a deep understanding of the organization’s security infrastructure, continuous optimization of security controls , and the ability to make data-driven security decisions.

Get your security controls assessment now


Recommended Articles

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product

Product Overview

Maximize security posture while ensuring business uptime

Odin

AI-Powered Contextual Cybersearch

Automated Security Controls Assessment

Validate your security control

Integrations

Connect Veriti with your security solutions

Use Cases

Agentless OS-Level Remediation

Proactively safeguard your systems directly at the OS-Level on the endpoint

Vulnerability Remediation

Safely remediate vulnerabilities in one click

Business Continuity

Reduce alert fatigue. Increase Security Effectiveness

MISCONFIGURATION MANAGEMENT

Proactively neutralize misconfigurations to minimize exposure risks

Mobilizing Threat Remediation

Identify and mobilize threat remediation across the security stack automatically.

GENERATIVE AI SECURITY

Chat with your environment to cut MTTR times drastically

Solutions

Safe Remediation

Ensure remediation actions do not give rise to additional exposures

MITRE ATT&CK®

Quickly respond to live threats with safe and precise remediation

VERITI FOR Enterprises

Increase business outcomes

VERITI FOR MSSPs

Efficiently manage multiple clients in a consolidated platform

VERITI FOR HEALTHCARE

Neutralize security gaps without impacting healthcare operations

VERITI FOR MANUFACTURING

Protect the heart of your production processes

SEC AND THE BUSINESS

A security pro’s guide to exposure assessments and remediation

 

Read Whitepaper >>

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Events

Live event and on-demand webinars

Glossary

Our Comprehensive Definitions Guide

MASTERING MODERN OS-LEVEL SECURITY: THE AGENTLESS APPROACH

WATCH NOW>>

Our Story

Learn about Veriti

Careers

Work with us

Newsroom

Our latest updates

Contact US

Get in touch

CHANNEL PARTNERS

Become a partner

MSSPs

Reduce operational costs