The Federal Bureau of Investigation (FBI) said that state-sponsored hacker groups ( advanced persistent threat, APT) have been actively exploiting a zero-day vulnerability in Zoho's ManageEngine Desktop Central tool since at least October 2021.
"Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers," FBI's white flash alert reads.
According to the law enforcement agency, the observed attacks involved threat actors compromising Desktop Central servers, installing a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
The FBI did not name the state-backed hacker group, which were observed exploiting above mentioned vulnerability.
CVE-2021-44515 is an improper authentication issue in Zoho ManageEngine Desktop Central MSP, which allows a remote attacker to bypass authentication process and execute arbitrary code in the Desktop Central server. The bug was patched by Zoho at the beginning of December.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2021-44515 to its ever-growing Known Exploited Vulnerabilities Catalog on December 10, ordering federal agencies to patch the flaw before Christmas under Binding Operational Directive (BOD) 22-01.