CISA and FBI alert: Attackers actively exploiting vulnerability in Zoho ManageEngine ServiceDesk Plus

CISA and FBI alert: Attackers actively exploiting vulnerability in Zoho ManageEngine ServiceDesk Plus

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) issued a joint advisory warning attackers are actively exploiting a vulnerability in Zoho ManageEngine ServiceDesk Plus.

The vulnerability CVE-2021-44077 is an unauthenticated remote code execution vulnerability that impacts all ServiceDesk Plus versions prior to and including 11305.

Zoho fixed the issue back on September 16, 2021 as part of security update for ServiceDesk Plus versions 11306 and above.

“If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide,” CISA and FBI wrote in the joint alert.

Moreover, CISA and the FBI warned of reports of malicious advanced persistent threat (APT) cyber actors exploiting CVE-2021-44077 as early as late October 2021. The APT actors have targeted Critical Infrastructure Sector industries, including healthcare, financial services, electronics, and IT consulting industries.

Types of attacks

Some of the tactics, techniques and procedures (TTPs) used in the attacks include:

  • Writing webshells to disk for initial persistence.
  • Obfuscating and Decoding Files or information.
  • Dumping user credentials.
  • Using Windows utilities and “Living off the land” to collect and archive files for exfiltration or other actions.
  • Adding/deleting user accounts.
  • Stealing copied of Active Directory database or registry hives.
  • Using Windows Management Instrumentation (WMI) for remote execution.
  • Deleting files to remove indicators from compromised systems.
  • Discovering domain accounts with the net Windows command.
  • Using custom symmetric encryption for command and control (C2).

Last month, researchers from Microsoft and Palo Alto Networks detected exploits against another Zoho ManageEngine (ADSelfService Plus) vulnerability CVE-2021-40539. Microsoft had attributed the campaign to Chinese-based DEV-0322 cybergang.

Related Articles