CISA Reported that ,”The CVE-2021-44077 (CVSS score: 9.8) vulnerability affects ServiceDesk Plus versions including 11305 , if left unpatched, “allows an attacker to upload executable files and place web shells that enable post-exploitation activities such as compromising administrator credentials, conducting lateral movement and exfiltrating registry hives and Active Directory files”.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States are warning of active exploitation of a newly patched flaw in Zoho’s ManageEngine ServiceDesk Plus product to deploy web shells and carry out a variety of malicious activities.
Zoho explained in an independent advisory published on November 22. “An adversary could exploit this vulnerability to execute arbitrary code and carry out subsequent attacks.” On September 16, 2021, Zoho fixed the same flaw in versions 11306 and higher.
According to a new report published by Palo Alto Networks’ Unit 42 threat intelligence team, CVE-2021-44077 is also the second flaw exploited by the same threat actor that was previously discovered exploiting a security flaw in Zoho’s self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus (CVE-2021-40539) to compromise at least 11 organisations.
Unit 42 researchers Robert Falcone and Peter Renals reported that, Most notably, between October 25 and November 8, the actor shifted his focus to several organisations that used a different Zoho product called ManageEngine ServiceDesk Plus.”
APT actor launched multiple campaigns over the course of three months, resulting in compromises to at least 13 organisations. Several of the organisations impacted work in critical infrastructure sectors in the United States, including defence, transportation, healthcare, and energy.
The actor’s first campaign took advantage of a zero-day flaw in the Zoho ManageEngine ADSelfService Plus software. The actor launched its most recent campaign in late October, focusing on a previously unknown vulnerability in Zoho ManageEngine ServiceDesk Plus software (CVE-2021-44077). When the actor exploited this vulnerability, he uploaded a new dropper that deployed a Godzilla webshell on victim networks, allowing it to bypass a security filter on ADSelfService and ServiceDesk Plus products.
Finally the researchers concluded that,”There are over 4,700 internet-facing instances of ServiceDesk Plus worldwide, with 2,900 – or 62 percent – deemed vulnerable to exploitation. Given the actor’s success to date and ongoing reconnaissance activities against a wide range of industries (including infrastructure associated with five US states), we expect the number of victims to rise further”.
Indicators of Compromise