The Cybersecurity and Infrastructure Security Agency (CISA) and FBI warned about the ongoing exploitation of the recently addressed vulnerability in Zoho’s ManageEngine ServiceDesk Plus product. Tracked as CVE-2021-44077, the unauthenticated remote code execution vulnerability affects all ServiceDesk Plus versions up to and including version 11305.
Successful exploitation of this flaw could allow an attacker to upload executable files and place web shells that enable post-exploitation activities like compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. While there is no information about the attackers behind this exploitation, the FBI and CISA suspect that advanced persistent threat (APT) actors are among those exploiting the vulnerability.
While Zoho released the patch for this vulnerability on September 16, 2021, the FBI and CISA stated threat actors have been exploiting the CVE-2021-44077 flaw since October 2021.
The agencies also identified attackers using various tactics, techniques, and procedures (TTPs), including:
- Writing web shells to disk for initial persistence
- Obfuscating and Deobfuscating/Decoding Files or Information
- Conducting further operations to dump user credentials
- Living off the land by only using signed Windows binaries for follow-on actions
- Adding/deleting user accounts as needed
- Stealing copies of the Active Directory database (NTDS.dit) or registry hives
- Using Windows Management Instrumentation (WMI) for remote execution
- Deleting files to remove indicators from the host
- Discovering domain accounts with the net Windows command
- Using Windows utilities to collect and archive files for exfiltration
- Using custom symmetric encryption for command and control (C2)
The agencies urged organizations to report if they find the existence of any of the following scenarios:
- Identification of indicators of compromise as outlined above.
- Presence of webshell code on compromised ServiceDesk Plus servers.
- Unauthorized access to or use of accounts.
- Evidence of lateral movement by malicious actors with access to compromised systems.
- Other indicators of unauthorized access or compromise.
CISA and FBI urged organizations to be vigilant and patch their vulnerable networks with the recent updates.