According to a joint security alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Coast Guard Cyber Command revealed an attempted attack against the Port of Houston in August.
Director of the CISA, Jen Easterly, notified lawmakers of this fact while delivering testimony before a U.S. Senate committee hearing on 23 September 2021. The security alert itself was issued a week earlier, on 16 September, nearly a month after the actual incident.
This came to light as Jen Easterly was questioned by Ohio Republican Sen. Rob Portman who is the ranking member of the Senate Homeland Security and Governmental Affairs Committee.
According to the alert, the incident involved nation-state affiliated threat actors who tried to exploit a vulnerability in the Zoho software used by the port operators.
Zoho is a suite of online productivity tools and SaaS applications. It’s best known for its online office suite by the same name, although its catalog also consists of CRM, auditing, email, and remote desk tools, among others.
The attack was deemed to form part of a larger strategy to target the operators of U.S. critical infrastructure as well as defensive contractors, transportation and logistics firms and academic institutions.
Specifically, the attack aimed to exploit a vulnerability in Zoho’s single sign-on (SSO) and password management tool. Tracked as CVE-2021-40539, the vulnerability is rated as critical by the NIST with a score of 9.8. The vulnerability involves the Zoho ManageEngine ADSelfService Plus version 6113 and prior which is vulnerable to REST API authentication bypass.
If successful, an attacker can use the vulnerability to plant malicious web shells within a network and then compromise credentials, move laterally through the network and exfiltrate data, including from registry hives and Active Directory files
The Port of Houston itself was the first to discover the potential incident. This information was then brought to the Coast Guard who relayed it to the FBI and CISA.
CISA then work alongside the FBI and Coast Guard to better understand the incident and to try and determine whether the same vulnerability affected the rest of the federal cyber ecosystem.
This incident gave the CISA one of its first and most prominent opportunities to put its newly formed Joint Cyber Defense Collaborative to the test. The Joint Cyber Defense Collaborative is an initiative to build a national cybersecurity defense strategy based on collaboration between the public and private sectors.
The good news is that the attack seems to have been unsuccessful. In a statement, the Port of Houston announced:
“The Port of Houston Authority (Port Houston) successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.”
The attacker were able to gain an initial foothold and steal some credentials. However, the attack was detected and blocked before any harmful actions could be taken by the threat actors.
To date, the Joint Cyber Defensive Collaborative is still working on discovering the identity and affiliation of those behind the attack.
Sources:
APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
Port Houston – Statement regarding Recent Cybersecurity Attack
