Warning Issued About Active Exploitation of Critical Zoho ManageEngine ServiceDesk Plus Vulnerability

At least one APT actor is exploiting a critical vulnerability in the IT helpdesk and asset management solution, Zoho ManageEngine ServiceDesk Plus, according to a joint security advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability, tracked as CVE-2021-44077, has a severity score of 9.8 out of 10 and is related to the /RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. The flaw can be exploited remotely without authentication and allows remote code execution. In the attacks detected to date, an APT actor has been exploiting the flaw to download an executable file that deploys a webshell, which allows post-exploit activities including theft of admin credentials, lateral movement, and the exfiltration of Active Directory files and registry hives.

Zoho issued a patch to fix the flaw on September 16, 2021; however, many organizations have been slow to apply the patch and remain vulnerable. Zoho issued a second security advisory about the flaw on November 22, 2021, warning the vulnerability was being exploited in the wild, urging customers to update to the latest version of the solution as soon as possible.

The vulnerability affects all ServiceDesk Plus (on-premises) versions up to and including version 11305. The vulnerability has been corrected in version 11306. The FBI and CISA explain in the alert that the vulnerability has been exploited since late October 2021 in attacks on critical infrastructure industries including healthcare, electronics, IT consulting, and the financial services industries.

Prior to exploiting the CVE-2021-44077 vulnerability, the threat actor was exploiting a critical vulnerability in a different Zoho ManageEngine product – the password management and single sign-on solution, Zoho ManageEngine ADSelfService Plus (CVE-2021-40539).

These campaigns have all delivered a variant of the Godzilla webshell, although the latest campaign has seen the webshell installed as a filter. According to Palo Alto Networks’ Unit 42 team, there is no specific URL that the APT actor sends their requests to when interacting with the webshell and the filter bypasses a security filter in ServiceDesk Plus that stops access to webshell files.

21% of attacks exploiting the vulnerability have been on targets in the United States, with the Unit 42 team also identifying attacks in India, Russia, Turkey, the United Kingdom, and other countries. There has not been any official attribution, although some evidence has been found linking the attacks to the APT27/Emissary Panda threat group – A hacking group with links to China.

Information about the tactics, techniques, and procedures of the APT actor, IoCs, YARA Rules, and recommended mitigations can be found on this link.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news