APT groups are targeting a months-old remote code execution vulnerability in Zoho’s ManageEngine ServiceDesk Plus help desk software in order to upload malicious files, drop webshells, and use the compromised servers as footholds to move laterally on target networks.
The vulnerability (CVE-2021-44077) is in versions of ManageEngine ServiceDesk Plus before version 11306 and it allows an attacker to bypass the authentication mechanism for the application and upload whatever files they choose. Zoho released an updated version that addressed the vulnerability in September, and published an updated advisory on Nov. 22 warning customers that active exploits against the flaw were underway. On Thursday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that their specialists have seen APT actors exploiting the vulnerability.
“The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability. Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the advisory says.
The ManageEngine ServiceDesk Plus application is an IT help desk and asset management tool used in enterprises across a wide range of industries. The vulnerability only affects on-premises deployments, and not the cloud version of the application.
In the advisory, CISA and FBI said they have observed APT groups using a number of different tactics and techniques after exploiting the ManageEngine ServiceDesk Plus vulnerability, including writing webshells to disk in order to maintain persistence, and adding and deleting new accounts. Attackers also are stealing opies of the Windows Active Directory databases and registry hives. The attackers are spending some time cleaning up after themselves after compromising a server, too.
“Confirming a successful compromise of ManageEngine ServiceDesk Plus may be difficult—the attackers are known to run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell,” the advisory says.
Enterprises that run ManageEngine ServiceDesk Plus should upgrade to version 11306 as soon as possible.