Overview

In early December 2021, CISA reported that an APT group was exploiting two vulnerabilities in Zoho’s ManageEngine ServiceDesk Plus, as well as their Desktop Central and Desktop Central MSP. Zoho is an enterprise software provider who specializes in IT help desk software with asset management.  

CVE-2021-44515 is an authentication bypass vulnerability that affects ManageEngine Desktop Central MSP. This vulnerability could allow an attacker to bypass authentication protections and execute arbitrary code in the Desktop Central MSP server. Attackers would then be able to gain unauthorized access by sending a crafted request that leads to remote code execution. Customers are advised to upgrade to builds 11149, 11212, 11311, or 12003. 

Vulnerability CVE-2021-44077 affects ManageEngine ServiceDesk Plus and includes an authentication bypass issue which can allow attackers to upload executable files and place webshells. The webshells enable the attacker to conduct post-exploitation activities (lateral movement, exfiltrating registry hives and Active Directory files, stealing administrator credentials, etc.).  

The Zoho update released on September 16, 2021, attempted to patch CVE-2021-44077, but it was not successful. Zoho released another patch that fixes the issue and instructions for patching can be found on their website. The vulnerability affects versions 11305 and earlier, and malicious actors have been using it to gain access to ManageEngine ServiceDesk Plus since late October 2021. Over the past three months, at least 13 undisclosed organizations across the energy, healthcare, education, and technology industries have been compromised by this APT threat actor. There are over 4,700 global internet facing instances of ServiceDesk Plus, of which 2,900 (62%) are assessed to be vulnerable to exploitation. Currently, the threat actors have been seen using the following tactics, techniques, and procedures:  

  • Writing webshells [T1505.003] to disk for initial persistence 
  • Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140] 
  • Conducting further operations to dump user credentials [T1003] 
  • Living off the land by only using signed Windows binaries for follow-on actions [T1218] 
  • Adding/deleting user accounts as needed [T1136] 
  • Stealing copies of the Active Directory database (NTDS.dit) [T1003.003] or registry hives 
  • Using Windows Management Instrumentation (WMI) for remote execution [T1047] 
  • Deleting files to remove indicators from the host [T1070.004] 
  • Discovering domain accounts with the net Windows command [T1087.002] 
  • Using Windows utilities to collect and archive files for exfiltration [T1560.001] 
  • Using custom symmetric encryption for command and control (C2) [T1573.001] 

According to CISA and the FBI, the source of the CVE-2021-44077 is an improper security configuration process used in the application. It allows attackers to gain unauthorized access to ServiceDesk Plus data through some of its application URLs. The URL bypasses the authentication process and fetches required data, delivering it to an attacker who then gains unauthorized access or carries out another attack.  

Palo Alto Networks stated that the observed recent activity is tied to a persistent APT threat actor that initially used a zero-day vulnerability in ManageEngine ADSelfService in August and September 2021. The threat actor then changed their method of attack and decided to exploit CVE-2021-44077 and is now leveraging the vulnerability in the ServiceDesk Plus and Desktop Central software. Zoho has classified the severity of this vulnerability as “severe” and has issued a patch. They have also developed an Exploit Detection Tool for CVE-2021-44515 that can help identify if an installation has been affected by the vulnerability. You can go here to download ManageEngine's Exploit Detection Tool. 

Due to the vulnerabilities happening consecutively, it is now recommended that all Zoho software be patched. These vulnerabilities follow the recent pattern of supply-chain compromise, like with the attacks on Kaseya and SolarWinds. These attacks should remind organizations of how important it is to keep track of what kind of remote management tools are in an environment and keep them up to date.  

After downloading follow these steps: 

  • Extract the tool to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder, whichever is applicable for you. 
  • Open command prompt with admin privilege and navigate to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder. 
  • Run the command RCEScan.bat 
  • As shown in the screenshots below, if your installation is affected, you will be thrown the message "Compromised". If your installation is unaffected, you will receive the message "Not Compromised".
     

How Avertium is Protecting Our Clients:

  • To help protect your organization from becoming a victim of this vulnerability, Avertium offers SIEM and EDR services for organizations who need protection against threat actors trying to exploit CVE-2021-44077 and CVE-2021-44515.  A robust SIEM Implementation is one of the most effective weapons you can leverage in the increasingly complex battle to secure your organization. Our EDR service will continuously monitor a system for suspicious activity within the security parameter.  
  • Avertium’s third-party vendor risk management services can monitor the security profiles of your organization’s critical vendors, such as ManageEngine, to provide early warning for potential security risks. 
  • If your organization is in need of further protection, you may want to utilize Avertium’s VMaaS (vulnerability management as-a-service) to set up extra safeguards.  
  • Reach out to your Service Delivery Manager or Account Executive if you need assistance applying any of the above services.
     

Avertium's recommendations

  • Zoho, CISA and the FBI recommend the following:  
    • Apply patches to all Zoho software. 
    • Evaluate the business need and risk associated with any internet facing Zoho products. 
    • Review files that have been created in ServiceDesk Plus directories since early October 2021. 
    • Domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised. 
    • Disconnect the affected machine from the network. 
    • Make a backup of the Desktop Central MSP configuration and critical business data. 
    • Format the compromised machine. 
    • Deploy the same software build, preferably on a new machine. 
    • Restore the backup. 
    • Also, Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide. You can find Yara Rules here 

indicators of compromise (iocs):

CVE-2021-44077

  • passwordmanagerpromsp[.]com 
  • seed.nkn[.]org 
  • /RestAPI/ImportTechnicians?step=1 
  • 67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015 
  • 068D1B3813489E41116867729504C40019FF2B1FE32AAB4716D429780E666324 
  • 759bd8bd7a71a903a26ac8d5914e5b0093b96de61bf5085592be6cc96880e088 
  • 262cf67af22d37b5af2dc71d07a00ef02dc74f71380c72875ae1b29a3a5aa23d 
  • a44a5e8e65266611d5845d88b43c9e4a9d84fe074fd18f48b50fb837fa6e429d 
  • ce310ab611895db1767877bd1f635ee3c4350d6e17ea28f8d100313f62b87382 
  • 75574959bbdad4b4ac7b16906cd8f1fd855d2a7df8e63905ab18540e2d6f1600 
  • 5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb 
  • ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7 
  • 009d23d85c1933715c3edcccb46438690a66eebbcccb690a7b27c9483ad9d0ac  
  • 083bdabbb87f01477f9cf61e78d19123b8099d04c93ef7ad4beb19f4a228589a 
  • 342e85a97212bb833803e06621170c67f6620f08cc220cf2d8d44dff7f4b1fa3 
  • 805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f 
  • 3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd 
  • 5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755 
  • 3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d 
  • 342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae 
  • 7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72 
  • 3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090 
  • b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665
  • e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c 
  • bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da 
  • d0c3d7003b7f5b4a3bd74a41709cfecfabea1f94b47e1162142de76aa7a063c7 
  • 7d2780cd9acc516b6817e9a51b8e2889f2dec455295ac6e6d65a6191abadebff 
File Paths 
    • C:\ManageEngine\ServiceDesk\bin\msiexec.exe 
    • C:\ManageEngine\ServiceDesk\lib\tomcat\tomcat-postgres.jar 
    • C:\Windows\Temp\ScriptModule.dll 
    • C:\ManageEngine\ServiceDesk\bin\ScriptModule.dll 
    • C:\Windows\system32\ME_ADAudit.exe 
    • c:\Users\[username]\AppData\Roaming\ADManager\ME_ADManager.exe 
    • %ALLUSERPROFILE%\Microsoft\Windows\Caches\system.dat 
    • C:\ProgramData\Microsoft\Crypto\RSA\key.dat 
    • c:\windows\temp\ccc.exe 

CVE-2021-44515

  • Navigate to \lib and check if you can find the file aaa.zip ( md5 - 9809bdf6e9981fbc3ad515b731124342 ). 
  • Navigate to \webapps\DesktopCentral\html and check if you can find the file help_me.jsp 

 

references

APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus | CISA 

Determined APT is exploiting ManageEngine ServiceDesk Plus vulnerability (CVE-2021-44077) - Help Net Security 

APT Conducts Active Campaign Against ManageEngine ServiceDesk Plus (paloaltonetworks.com) 

Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks (thehackernews.com) 

Critical flaw in ManageEngine Desktop Central MSP tool exploited in the wild | CSO Online 

Authentication Bypass using Filter Configuration | ManageEngine 

 

Related Reading:

APT Threat Actor Profile

 


Contact us for more information about Avertium’s managed security service capabilities.