The In-house Zoho ServiceDesk Exploit Used to Drop Webshells
An APT Group Is Exploiting an Unauthenticated Remote Code Execution Issue.
Last updated on December 3, 2021
You may recall that we reported a while ago that state-backed advanced persistent threat (APT) organizations had been actively exploiting a significant hole in a Zoho single sign-on and password management solution since early August 2021.
As thoroughly reported by BleepingComputer, there is no publicly available proof-of-concept exploit for CVE-2021-44077, implying that the APT group using it created the attack code and is using it solely for the time being.
The actor has been seen leveraging an unauthenticated remote code execution vulnerability in Zoho ServiceDesk Plus versions 11305 and earlier, which is now listed as CVE-2021-44077.
On September 16, 2021, Zoho patched the RCE weakness, and on November 22, 2021, the firm issued a security warning to warn consumers of active exploitation. Users, on the other hand, were sluggish to upgrade and so remained exposed to assaults.
According to a report from Palo Alto Networks’ Unit42, there is no publicly available proof-of-concept exploit for CVE-2021-44077, implying that the APT group using it created the attack code and is using it solely for the time being.
Over the course of three months, a persistent and determined APT actor has launched multiple campaigns which have now resulted in compromises to at least 4 additional organizations, for a total of 13. Beginning on Sept. 16, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. Building upon the findings of that initial report, on Nov. 7, Unit 42 disclosed a second, more sophisticated, active and difficult-to-detect campaign that had resulted in the compromise of at least nine organizations.
As an update to our initial reporting, over the past month we have observed the threat actor expand its focus beyond ADSelfService Plus to other vulnerable software. Most notably, between Oct. 25 and Nov. 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus. We now track the combined activity as the TiltedTemple campaign. In our Nov. 7 blog, we stated that “while attribution is still ongoing and we have been unable to validate the actor behind the campaign, we did observe some correlations between the tactics and tooling used in the cases we analyzed and Threat Group 3390 (TG-3390, Emissary Panda, APT27)
It is strongly advised that organizations patch their Zoho software as soon as possible and examine any files produced in ServiceDesk Plus folders.
Many of these susceptible configurations may be found in government systems, colleges, healthcare institutions, and other important infrastructure.
How to Stay Safe Using Heimdal™?
Vulnerability management should remain a top priority for all businesses out there that always try to have the best means for facilitating their organization’s cybersecurity. Existing software is not perfect, being home for vulnerabilities from time to time. To keep the threat those bugs pose to your network apart, an automated Patch Management Solution will help you take care of your vulnerability management efficiently and use your time wisely.
Our tool lets you deploy any patch no matter where you are now, using command-line scripting to cover patches from Microsoft to third-party and proprietary software. But what is even nicer about our tool is the vendor to end-user waiting time: in less than 4 hours from the release, you have your patch tested and repackaged, and ready to be deployed. Curious? Go and find more about our Patch Management Solution!
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.