The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning concerning the continued exploitation of a newly patched vulnerability in Zoho's ManageEngine ServiceDesk Plus product.
CVE-2021-44077, graded critical by Zoho, is indeed an unauthenticated remote code execution (RCE) flaw that affects all ServiceDesk Plus versions up to and including 11305. This problem was resolved by a Zoho update for ServiceDesk Plus versions 11306 and higher released on September 16, 2021.
According to the FBI and CISA, advanced persistent threat (APT) cyber attackers are among those abusing the vulnerabilities. After successfully exploiting the vulnerability, an attacker can upload executable files and deploy web shells, allowing the opponent to perform post-exploitation operations such as compromising administrator credentials, lateral movement, and extracting registry hives and Active Directory files.
"A security misconfiguration in ServiceDesk Plus led to the vulnerability," Zoho explained in an official alert issued on November 22. "This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks."
As per a recent study released by Palo Alto Networks' Unit 42 threat intelligence team - CVE-2021-44077 is perhaps the second flaw abused by the very same threat actor that has been previously discovered exploiting a security vulnerability in Zoho's self-service password management and single sign-on solution identified as ManageEngine ADSelfService Plus (CVE-2021-40539) to compromise at least 11 organizations.
"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software," Unit 42 researchers Robert Falcone and Peter Renals said. "Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus."
The attacks are thought to be orchestrated by a "persistent and determined APT actor" known as "DEV-0322," an evolving threat cluster that Microsoft asserts is based in China and was earlier noticed manipulating a then-zero-day flaw in SolarWinds Serv-U managed file transfer service earlier this year. Unit 42 is keeping an eye on the joint activities known as the "TiltedTemple" campaign.
Following a successful compromise, the threat actor will upload a fresh dropper ("msiexec.exe") to victim systems, which would then implement the Chinese-language JSP web shell titled “ "Godzilla" to create continuity in those machines, similar to the techniques that were used against the ADSelfService software.
At least two different organizations have been affected by the ManageEngine ServiceDesk Plus weakness in the last three months, with the number likely to increase as the APT group ramps up its reconnaissance operations against the technology, energy, transportation, healthcare, education, finance, and defense industry.
Zoho, for its part, has decided to make an exploit identification tool available to assist customers to identify whether their on-premises facilities have already been affected, as well as recommending that consumers "upgrade to the latest version of ServiceDesk Plus (12001) immediately" to mitigate any potential risks that arise from exploitation.