An APT gang is abusing a severe vulnerability in Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) to infiltrate enterprises in a range of industries, including defence and technology.
The Cybersecurity and Infrastructure Security Agency (CISA) alerted, “Successful exploitation of the vulnerability allows an attacker to upload executable files and place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”
CVE-2021-44077 is an authentication bypass flaw in ManageEngine ServiceDesk Plus (on-premises) installations using versions 11305 and earlier.
An incorrect security configuration process in ServiceDesk Plus is the root of the vulnerability, which allows an attacker to obtain unauthorised access to the application's information via a few of its application URLs.
The company explained, “To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.”
On September 16, 2021, ManageEngine (a Zoho subsidiary) released version 11306 to address the issue.
CVE-2021-44077 has been the target of attacks for quite some time.
Unit 42 at Palo Alto Networks has linked the activity to a "persistent and determined APT actor" who first exploited a zero-day vulnerability in ADSelfService in August and September, then moved to leverage another vulnerability (CVE-2021-44077) impacting the same software in September and October, and is now (since late October) exploiting CVE-2021-44077 in the ServiceDesk Plus software.
The researchers believe that the APT actor generated the exploit code for their assaults because there is no publicly available proof of concept exploit code for CVE-2021-44077.
“Upon exploitation, the actor has been observed uploading a new dropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper deploys a Godzilla web shell which provides the actor with further access to and persistence in compromised systems,” they shared.
“Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defence industries have been compromised [by this APT]. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states.”
Unit 42's search for internet-facing ManageEngine ServiceDesk Plus installations found over 4,700 installations, with 2,900 of them vulnerable to exploitation. In the United States, there are about 600 of them.
The researchers have released technical details and proofs of concept for the most recent attacks targeting CVE-2021-44077, as well as suggestions for companies on how to protect themselves.
Similar information, as well as network indicators, TTPs, Yara rules, and mitigation advice, is available in the CISA advisory, and Zoho has offered additional details and a downloadable exploit detection tool that businesses can use to run a quick scan and explore any compromises in their installation.
Finally, the Palo Alto researchers have issued an additional cautionary statement:
“In continuing to track this actor’s activities, we believe it is also important to note that on Nov. 9, we observed the actor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine product that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple customers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product. While we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting ManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply the relevant patches.”
