Zoho Zero-Day Exploited by State Threat Actors Since October, FBI Says
The Flaw Is Located in the Zoho’s ManageEngine Desktop Central Servers and Companies Are Advised to Apply the Existent Patch ASAP.
According to a flash alert published by the Federal Bureau of Investigation (FBI) on the 17th of December, state-backed cybercriminals groups are actively exploiting a Zoho zero-day since late October. The vulnerability is located in the ManageEngine Desktop Central of Zoho and it seems that it has been of interest for Advanced Persistent Threat (APT) groups for a while.
Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers. The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
About the Zoho Zero-Day
As mentioned earlier, the Zoho zero-day was classified as CVE-2021-44515 and stands for an authentication bypass flaw that allows threat actors to perform arbitrary code execution on Zoho’s Desktop Central servers. The vulnerability received a patch from Zoho at the beginning of December.
As Shodan’s data indicates over 2900 instances of the ManageEngine Desktop Central seem to be vulnerable to potential cyberattacks.
After the patch was released, the company also advised customers to deploy it as fast as possible to remain protected, as attempts of ongoing exploitation had been identified.
As per the company’s advice, customers who suspect that they were affected could use the Exploit Detection Tool from Zoho to check if they were impacted or not. Zoho also stressed the importance of implementing mitigation measures like the backup of essential business info, compromised networks should be disconnected, impacted servers should be formatted, the Desktop Central should be restored and the patches applied.
What to do if signs of compromise are found? The company indicates to
Initiate a password reset for all services, accounts, Active Directory, etc. that has been accessed from the service installed machine. It is better if AD administrator passwords are also reset.
CVE-2021-44515 was also added by CISA to its Known Exploited Vulnerabilities to Catalog. Following this, federal agencies are required to patch it before Christmas.
A Little Insight into Other Zoho’s Attacks
Zoho was targeted in the past too. In September, we wrote about another vulnerability in the single sign-on and password management solution that became the target of APT groups. At that time, the flaw was classified as CVE-2021-40539 and could be found in the ADSelfService Plus software of the Zoho ManageEngine which later received a patch. If successfully exploited threat actors could engage in a complete takeover of a system.
The FBI and CISA were advising then businesses to apply the 6114 upgrades of the ADSelfService Plus in a timely manner and make sure ADSelfService Plus could not be accessed straight from the Internet.
How Can Heimdal™ Help?
The exploitation of software vulnerabilities by hackers can only be prevented with an efficient vulnerability management strategy in place. That is why, businesses need an automated Patch and Asset Management Tool, a product that does not only cover Microsoft software but also third-party and proprietary ones and offers flexibility and efficiency through features like advanced scheduling or on-demand update for patches, eliminating the need for over-the-shoulder supervision for your users. But the coolest thing about our solution is the vendor-to-end-user-waiting time, as once an official patch is released it takes less than 4 hours to be ready for deployment in your Heimdal™ Cloud. Patch anything and be a step ahead of hackers!