Threat actors are actively exploiting an RCE vulnerability in Zoho’s ManageEngine ServiceDesk Plus help desk and asset management software to deploy web shells and carry out an array of malicious activities, the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have warned.
Tracked as CVE-2021-44077, the issue is an unauthenticated remote code execution vulnerabilty, which exists due to missing authentication, related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. If left unpatched, the bug “allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” a joint alert says.
CVE-2021-44077 affects all ServiceDesk Plus versions up to, and including, version 11305. The issue was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above.
According to the FBI and CISA, threat actors, including advanced persistent threat (APT) groups, have been exploiting this bug since late October 2021. Targets include critical infrastructure sector industries, with the healthcare, financial services, electronics and IT consulting industries among them, CISA said.
According to a new report from Palo Alto Networks’ Unit42, CVE-2021-44077 is the second flaw to be exploited by the same threat actor that was previously found exploiting a bug in Zoho's self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus (CVE-2021-40539) to compromise at least 11 organizations. Unit42 tracks this combined activity as the TiltedTemple campaign.
"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software," the researchers said. "Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus."
The attacks are believed to have been carried out by a "persistent and determined APT actor" operating out of China, which Microsoft tracks as "DEV-0322."
In the recent campaign, the threat actor has been observed uploading a new dropper ("msiexec.exe") to victim systems, which then deploys the Chinese-language Java Server Pages (JSP) web shell known as "Godzilla" for establishing persistence.
Palo Alto identified over 4,700 internet-exposed systems running the ServiceDesk Plus software globally. Among these, 62% are running vulnerable or unpatched versions of the software, with the majority of vulnerable systems located in the U.S., India, Russia, Great Britain and Turkey.