Joint CyberSecurity Advisory on Attacks Exploiting Zoho ManageEngine ServiceDesk Plus Vulnerability (CVE-2021-44077)

Description

FortiGuard Labs is aware of a recent joint advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on APT actors actively exploiting a critical vulnerability in Zoho ManageEngine ServiceDesk Plus. Successfully exploiting the vulnerability (CVE-2021-44077) enables an attacker to compromise administrator credentials, propagate through the compromised network, and conduct cyber espionage.


Why is this Significant?

This is significant because the advisory was released due to active exploitation of the vulnerability being observed. Zoho, the vendor of ManageEngine ServiceDesk Plus, states in their advisory that "we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus (all editions) with versions 11305 and below to update to the latest version immediately".


What Product and Versions are Vulnerable?

The vulnerable product is all editions of ServiceDesk Plus. Vulnerable versions are all versions up to, and including, version 11305.


What are the Technical Details of the Vulnerability?

Not much information is currently available on the vulnerability other than the vulnerability is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.


What is CVE Number and Severity Assigned to the Vulnerability?

The vulnerability is assigned CVE-2021-44077 and is rated critical with CVSS score of 9.8.


Which Industries are Targeted?

According to the advisory, Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries are targeted by threat actors.


What Malicious Activities Conducted by the Threat Actors were Observed?

CISA provided the following Tactics, techniques and procedures (TTPs) for the observed activities:


  • Writing webshells to disk for initial persistence
  • Obfuscating and Deobfuscating/Decoding Files or Information
  • Conducting further operations to dump user credentials
  • Living off the land by only using signed Windows binaries for follow-on actions
  • Adding/deleting user accounts as needed
  • Stealing copies of the Active Directory database (NTDS.dit) or registry hives
  • Using Windows Management Instrumentation (WMI) for remote execution
  • Deleting files to remove indicators from the host
  • Discovering domain accounts with the net Windows command
  • Using Windows utilities to collect and archive files for exfiltration
  • Using custom symmetric encryption for command and control (C2)


Has the Vendor Patched the Vulnerability?

Yes, Zoho released a patch on September 16, 2021.


Has the Vendor Released an Advisory?

Yes, the vendor released an advisory on September 16, 2021. Additional advisory was released on November 22, 2021. Links are in the Appendix.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against available files that were used in the attack:

Java/Webshell.AD!tr

W64/Agent.BG!tr.pws

W32/Agent.CY!tr

Trojan.Win32.Agentb.kpbc

HEUR:Trojan-Dropper.Win32.Agentb.gen

HEUR:Backdoor.Multi.MalGO.a

Backdoor.Java.JSP.au

Trojan.Win64.Agentb.azo

Trojan.Win32.Agentb.kpbd

Trojan.Win64.Agentb.azp


As for CVE-2021-44077, there is no sufficient information available for FortiGuard Labs to develop IPS protection. FortiGuard Labs will investigate protection once such information becomes available and will update this Threat Signal with protection.