CISA Warns of Actively Exploited Zoho ManageEngine ServiceDesk Critical Vulnerability
The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn against actively exploiting a recently patched flaw in Zoho’s ManageEngine ServiceDesk Plus product to deploy web shells and perform a variety of malicious activities.
Tracked as CVE-2021-44077 (CVSS score: 9.8), the issue is related to an unauthenticated remote code execution vulnerability affecting ServiceDesk Plus versions up to and including 11305 which, if not Fixed, “allows an attacker to download executable files and place web shells that allow post-exploitation activities, such as compromising administrator credentials, driving sideways, and exfiltrating hives registry and Active Directory files, ”CISA said.
“A misconfiguration of security in ServiceDesk Plus led to the vulnerability,” Zoho noted in an independent notice published on November 22. “This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attack. Zoho fixed the same flaw in version 11306 and above on September 16, 2021.
CVE-2021-44077 is also the second flaw exploited by the same threat actor that previously exploited a security hole in Zoho’s self-service and single sign-on password management solution known as ManageEngine ADSelfService Plus (CVE-2021-40539) from compromising at least 11 organizations, according to a new report released by the threat intelligence team of Palo Alto Networks Unit 42.
“The threatening actor stretches[ed] its goal beyond ADSelfService Plus to other vulnerable software, ”said Unit 42 researchers Robert Falcone and Peter Renals. “Specifically, between October 25 and November 8, the actor turned his attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus. “
The attacks are said to be orchestrated by a “persistent and determined APT player” followed by Microsoft as “DEV-0322”, a cluster of emerging threats that the tech giant says operates from China and has already been observed in China. exploiting a zero-day flaw in the SolarWinds Serv-U managed file transfer service earlier this year. Unit 42 monitors the combined activity as “Tilted temple” campaign.
Post-exploitation activities following a successful compromise involve the actor downloading a new dropper (“msiexec.exe”) to the victimized systems, which then deploys the Chinese JSP web shell named “Godzilla” to establish the persistence in these machines, echoing similar tactics used against ADSelfService software.
Unit 42 identified that there are currently more than 4,700 instances of ServiceDesk Plus accessible on the Internet worldwide, of which 2,900 (or 62%) are in the United States, India, Russia, Great Britain and in Turkey are considered vulnerable to exploitation.
In the past three months, at least two organizations have been compromised using the ManageEngine ServiceDesk Plus flaw, a number that is expected to rise further as the APT Group ramps up its reconnaissance activities against technology, energy, transport, health, education, finance and industrial defense.
Zoho, for its part, has made available an Exploit Detection Tool to help customers identify if their on-premise installations have been compromised, in addition to recommending users to “upgrade to the latest version of ServiceDesk Plus. (12001) immediately “to mitigate any potential operational risk.