Read our most recent Flash Notice for the updates on this vulnerability.
In early December 2021, CISA reported that an APT group was exploiting a vulnerability (previously known as CVE-2021-44515) in Zoho ManageEngine ServiceDesk Plus (IT help desk software with asset management) that was unsuccessfully patched. The vulnerability (now known as CVE-2021-44077 due to unsuccessful patching) is an authentication bypass vulnerability that can allow attackers to upload executable files and place webshells. The webshells enable the attacker to conduct post-exploitation activities (lateral movement, exfiltrating registry hives, and Active Directory files, stealing administrator credentials, etc).
The Zoho update released on September 16, 2021, attempted to patch this vulnerability, but it was not successful. CVE-2021-44077 affects versions 11305 and earlier, and malicious actors have been using the flaw to gain access to ManageEngine ServiceDesk Plus since late October 2021. Over the past three months, at least 13 undisclosed organizations across the energy, healthcare, education, and technology industries have been compromised by this APT threat actor. There are over 4,700 global internet-facing instances of ServiceDesk Plus, of which 2,900 (62%) are assessed to be vulnerable to exploitation. Currently, the threat actors have been seen using the following tactics, techniques, and procedures:
According to CISA and the FBI, the source of the vulnerability is an improper security configuration process used in the application. It allows attackers to gain unauthorized access to ServiceDesk Plus data through some of its application URLs. The URL has the ability to bypass the authentication process and fetch required data, delivering it to an attacker who then gains unauthorized access or carries out another attack.
Palo Alto Networks stated that the observed recent activity is tied to a persistent APT threat actor that initially used a zero-day vulnerability in ADSelfService in August and September 2021. The threat actor then changed their method of attack and decided to exploit CVE-2021-44077 and is now leveraging the vulnerability in the ServiceDesk Plus software. Zoho has classified the severity of this vulnerability as “severe” and has issued a patch. They have also developed an Exploit Detection Tool that can help identify if an installation has been affected by the vulnerability. You can go here to download ManageEngine's Exploit Detection Tool. After downloading follow these steps:
If your organization is in need of further protection, you may want to utilize Avertium’s Vulnerability Management (vulnerability management as-a-service) to set up extra safeguards.
Reach out to your Service Delivery Manager or Account Executive if you need assistance applying any of the above services.