Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ManageEngine ServiceDesk. Show all posts

Zoho: Patch New ManageEngine Flaw Abused in Attacks ASAP

 

Customers should upgrade their Desktop Central and Desktop Central MSP installations to the latest available version, as per business software supplier Zoho. 

ManageEngine Desktop Central from Zoho is a management tool that allows administrators to automatically apply updates and software across the network and troubleshoot them remotely. Zoho announced that a freshly patched serious issue in its Desktop Central and Desktop Central MSP products is being actively exploited by malicious actors, indicating the third security vulnerability in its products to be exploited in the wild in the last four months. 

The vulnerability, designated CVE-2021-44515, is an authentication bypass flaw that could let an attacker bypass authentication and launch arbitrary code in the Desktop Central MSP server. 

If indicators of the breach being discovered, Zoho recommends doing, "password reset for all services, accounts, Active Directory, etc. that has been accessed from the service installed machine" together with Active Directory administrator passwords. 

"As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible." 

If impacted, the company suggests disconnecting and backing up all essential business information on affected systems from the network, resetting the compromised servers, restoring Desktop Central, and updating it to the most recent release after the installation is complete. The company has also made an Exploit Detection Tool available, which will assist customers in detecting indicators of compromise in their systems. 

A quick search with Shodan revealed over 3,200 ManageEngine Desktop Central machines open to attacks and running on various ports. 

CVE-2021-44515 now joins two previous vulnerabilities, CVE-2021-44077 and CVE-2021-40539, that have been abused to attack critical infrastructure organisations' networks around the world. 

CVE-2021-44077, an unauthenticated, remote code execution vulnerability impacting ServiceDesk Plus, is being abused to drop web shells and carry out a variety of post-exploitation operations as part of a campaign termed "TiltedTemple," according to the US Cybersecurity and Infrastructure Security Agency (CISA).

Zoho ManageEngine ServiceDesk Plus Vulnerability, Exploited By Threat Actors

 

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning concerning the continued exploitation of a newly patched vulnerability in Zoho's ManageEngine ServiceDesk Plus product. 

CVE-2021-44077, graded critical by Zoho, is indeed an unauthenticated remote code execution (RCE) flaw that affects all ServiceDesk Plus versions up to and including 11305. This problem was resolved by a Zoho update for ServiceDesk Plus versions 11306 and higher released on September 16, 2021. 

According to the FBI and CISA, advanced persistent threat (APT) cyber attackers are among those abusing the vulnerabilities. After successfully exploiting the vulnerability, an attacker can upload executable files and deploy web shells, allowing the opponent to perform post-exploitation operations such as compromising administrator credentials, lateral movement, and extracting registry hives and Active Directory files. 

"A security misconfiguration in ServiceDesk Plus led to the vulnerability," Zoho explained in an official alert issued on November 22. "This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks." 

As per a recent study released by Palo Alto Networks' Unit 42 threat intelligence team - CVE-2021-44077 is perhaps the second flaw abused by the very same threat actor that has been previously discovered exploiting a security vulnerability in Zoho's self-service password management and single sign-on solution identified as ManageEngine ADSelfService Plus (CVE-2021-40539) to compromise at least 11 organizations. 

"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software," Unit 42 researchers Robert Falcone and Peter Renals said. "Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus." 

The attacks are thought to be orchestrated by a "persistent and determined APT actor" known as "DEV-0322," an evolving threat cluster that Microsoft asserts is based in China and was earlier noticed manipulating a then-zero-day flaw in SolarWinds Serv-U managed file transfer service earlier this year. Unit 42 is keeping an eye on the joint activities known as the "TiltedTemple" campaign. 

Following a successful compromise, the threat actor will upload a fresh dropper ("msiexec.exe") to victim systems, which would then implement the Chinese-language JSP web shell titled “ "Godzilla" to create continuity in those machines, similar to the techniques that were used against the ADSelfService software. 

At least two different organizations have been affected by the ManageEngine ServiceDesk Plus weakness in the last three months, with the number likely to increase as the APT group ramps up its reconnaissance operations against the technology, energy, transportation, healthcare, education, finance, and defense industry. 

Zoho, for its part, has decided to make an exploit identification tool available to assist customers to identify whether their on-premises facilities have already been affected, as well as recommending that consumers "upgrade to the latest version of ServiceDesk Plus (12001) immediately" to mitigate any potential risks that arise from exploitation.