An APT group is leveraging a critical vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus to compromise organizations in a variety of sectors, including defense and tech.
“Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the Cybersecurity and Infrastructure Security Agency (CISA) warns.
CVE-2021-44077 is an authentication bypass vulnerability that affects ManageEngine ServiceDesk Plus (on-premises) installations using versions 11305 and earlier.
The source of the vulnerability is an improper security configuration process used in ServiceDesk Plus, and it allows attackers to gain unauthorized access to the application’s data through a few of its application URLs.
“To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement,” the company explained.
“This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.”
The vulnerability has been patched by ManageEngine (a Zoho subsidiary) on September 16, 2021, by releasing version 11306.
The attacks exploiting CVE-2021-44077 have been happening for a while.
Palo Alto Networks‘ Unit 42 has tied the activity to a “persistent and determined APT actor” that has first used a zero-day vulnerability in ADSelfService in August and September, then switched to exploiting another vulnerability (CVE-2021-44077) affecting the same software in September and October, and is now (since late October) leveraging CVE-2021-44077 in the ServiceDesk Plus software.
Since there is no publicly available proof of concept exploit code for CVE-2021-44077, the researchers posit that the APT actor developed the exploit code for their attacks.
“Upon exploitation, the actor has been observed uploading a new dropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper deploys a Godzilla webshell which provides the actor with further access to and persistence in compromised systems,” they shared.
“Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defense industries have been compromised [by this APT]. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states.”
Mitigation and remediation
Unit 42’s scanning for internet-facing instances of ManageEngine ServiceDesk Plus has revealed over 4,700 installations, 2,900 of which are vulnerable to exploitation. Some 600 of these are located in the U.S.
The researchers have shared technical details and IoCs of these latest attacks exploiting CVE-2021-44077, as well as advice for organizations on how to defend themselves.
The CISA advisory also offers similar information, as well as network indicators, TTPs, Yara rules and mitigation advice, and Zoho has provided additional details and a downloadable exploit detection tool companies can use to run a quick scan and discover any compromises in their installation.
Finally, Palo Alto’s researchers have offered an additional warning:
“In continuing to track this actor’s activities, we believe it is also important to note that on Nov. 9, we observed the actor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine product that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple customers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product. While we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting ManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply the relevant patches.”