FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability
The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability in Zoho’s ManageEngine Desktop Central product.
Tracked as CVE-2021-44515, the security error is an authentication bypass that can be exploited to achieve remote code execution. The bug affects the Professional and Enterprise editions of ServiceDesk Plus and potentially impacts tens of thousands of organizations around the world.
Rated critical (CVSS score of 9.8), the vulnerability was made public in early December, when Zoho warned that threat actors had already been exploiting the bug in attacks.
Now, the FBI says that exploitation by advanced persistent threat (APT) actors has been ongoing since at least October 2021. The attackers have been dropping a webshell on compromised Desktop Central servers, to override a legitimate function and set up for post-compromise activities.
The adversaries used the webshells to drop further tools, enumerate domain users, perform reconnaissance, and attempt to move laterally in the network and steal credentials.
Two variants of the observed webshells were used in these attacks, both designed to override a Desktop Central API servlet endpoint and gain access to inbound GET or outbound POST requests and execute commands with System privileges.
Following initial reconnaissance, the attackers deployed a ShadowPad variant dropper and a legitimate binary that is then abused to achieve persistence. When executed, the dropper injects backdoor code into an instance of svchost, to connect to a command and control (C&C) server and enable further malicious activities.
Organizations are encouraged to upgrade their ManageEngine Desktop Central installations as soon as possible, to ensure they can prevent potential attacks. Those running version 10.1.2127.17 and below should upgrade to 10.1.2127.18, while builds 10.1.2128.0 to 10.1.2137.2 should be upgraded to 10.1.2137.3.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging organizations to apply the available patches as soon as possible.