3 December 2021

Hackers actively exploiting critical Zoho ManageEngine ServiceDesk Plus flaw to drop web shells


Hackers actively exploiting critical Zoho ManageEngine ServiceDesk Plus flaw to drop web shells

Threat actors are actively exploiting an RCE vulnerability in Zoho’s ManageEngine ServiceDesk Plus help desk and asset management software to deploy web shells and carry out an array of malicious activities, the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have warned.

Tracked as CVE-2021-44077, the issue is an unauthenticated remote code execution vulnerabilty, which exists due to missing authentication, related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. If left unpatched, the bug “allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” a joint alert says.

CVE-2021-44077 affects all ServiceDesk Plus versions up to, and including, version 11305. The issue was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above.

According to the FBI and CISA, threat actors, including advanced persistent threat (APT) groups, have been exploiting this bug since late October 2021. Targets include critical infrastructure sector industries, with the healthcare, financial services, electronics and IT consulting industries among them, CISA said.

According to a new report from Palo Alto Networks’ Unit42, CVE-2021-44077 is the second flaw to be exploited by the same threat actor that was previously found exploiting a bug in Zoho's self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus (CVE-2021-40539) to compromise at least 11 organizations. Unit42 tracks this combined activity as the TiltedTemple campaign.

"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software," the researchers said. "Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus."

The attacks are believed to have been carried out by a "persistent and determined APT actor" operating out of China, which Microsoft tracks as "DEV-0322."

In the recent campaign, the threat actor has been observed uploading a new dropper ("msiexec.exe") to victim systems, which then deploys the Chinese-language Java Server Pages (JSP) web shell known as "Godzilla" for establishing persistence.

Palo Alto identified over 4,700 internet-exposed systems running the ServiceDesk Plus software globally. Among these, 62% are running vulnerable or unpatched versions of the software, with the majority of vulnerable systems located in the U.S., India, Russia, Great Britain and Turkey.


Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021