Threat Signal Report
Joint CyberSecurity Advisory on Attacks Exploiting Zoho ManageEngine ServiceDesk Plus Vulnerability (CVE-2021-44077)
FortiGuard Labs is aware of a recent joint advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on APT actors actively exploiting a critical vulnerability in Zoho ManageEngine ServiceDesk Plus. Successfully exploiting the vulnerability (CVE-2021-44077) enables an attacker to compromise administrator credentials, propagate through the compromised network, and conduct cyber espionage.
Why is this Significant?
This is significant because the advisory was released due to active exploitation of the vulnerability being observed. Zoho, the vendor of ManageEngine ServiceDesk Plus, states in their advisory that "we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus (all editions) with versions 11305 and below to update to the latest version immediately".
What Product and Versions are Vulnerable?
The vulnerable product is all editions of ServiceDesk Plus. Vulnerable versions are all versions up to, and including, version 11305.
What are the Technical Details of the Vulnerability?
Not much information is currently available on the vulnerability other than the vulnerability is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
What is CVE Number and Severity Assigned to the Vulnerability?
The vulnerability is assigned CVE-2021-44077 and is rated critical with CVSS score of 9.8.
Which Industries are Targeted?
According to the advisory, Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries are targeted by threat actors.
What Malicious Activities Conducted by the Threat Actors were Observed?
CISA provided the following Tactics, techniques and procedures (TTPs) for the observed activities:
- Writing webshells to disk for initial persistence
- Obfuscating and Deobfuscating/Decoding Files or Information
- Conducting further operations to dump user credentials
- Living off the land by only using signed Windows binaries for follow-on actions
- Adding/deleting user accounts as needed
- Stealing copies of the Active Directory database (NTDS.dit) or registry hives
- Using Windows Management Instrumentation (WMI) for remote execution
- Deleting files to remove indicators from the host
- Discovering domain accounts with the net Windows command
- Using Windows utilities to collect and archive files for exfiltration
- Using custom symmetric encryption for command and control (C2)
Has the Vendor Patched the Vulnerability?
Yes, Zoho released a patch on September 16, 2021.
Has the Vendor Released an Advisory?
Yes, the vendor released an advisory on September 16, 2021. Additional advisory was released on November 22, 2021. Links are in the Appendix.
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage against available files that were used in the attack:
As for CVE-2021-44077, there is no sufficient information available for FortiGuard Labs to develop IPS protection. FortiGuard Labs will investigate protection once such information becomes available and will update this Threat Signal with protection.
APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus (CISA FBI Joint Advisory)
CVE-2021-44077 Detail (NIST)
Traffic Light Protocol
|Color||When Should it Be used?||How may it be shared?|
TLP: REDNot for disclosure, restricted to participants only.
|Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.|
TLP: AMBERLimited disclosure, restricted to participants’ organizations.
|Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.||Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.|
TLP: GREENLimited disclosure, restricted to the community.
|Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.||Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.|
TLP: WHITEDisclosure is not limited.
|Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.|