Zoho, which owns ManageEngine products, has issued several updates to critical vulnerabilities since September. While the initial release of the vulnerability was made earlier this month, the FBI found activity tracing back several months. Enterprise and MSP customers are impacted by the latest vulnerability. 
In September, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning concerning the exploitation of ManageEngine ADSelfService Plus, a critical vulnerability (CVE-2021-40539) that enabled remote code execution. “The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies,” CISA warned. 
By November, Palo Alto Networks’ Unit 42 found another attack campaign in ManageEngine ADSelfService Plus, unrelated to the one CISA warned of in September.  The second campaign began in September and ran through early October, compromising at least nine entities worldwide, Unit 42 found.
The exploits of the Desktop Central vulnerability were occurring around the same time, and CISA added the latest vulnerability to its catalog of exploited vulnerabilities on Dec. 10. CISA has required other government agencies to issue a patch by Dec. 24. 
ManageEngine has an exploit detection tool available to customers to check if the vulnerability has affected their version. The indicators of compromise (IOC) include: 
The FBI is requesting businesses that find IOC report their findings to their local field office. ManageEngine customers should also report evidence of unauthorized account access, lateral movement, malicious IPs found via log file searches, or presence of webshell code on the affected servers.  
“Recipients of this information are encouraged to contribute any additional information that they may have related to this threat,” the alert said. 
Before issuing the update, ManageEngine recommends customers have backups of their critical business data. If a customer is not impacted by the zero day, the company still wants it to update Desktop Central to the latest version. 
For enterprise customers, the vulnerable builds include:  
Follow on Twitter
Get the free daily newsletter read by industry experts
More than 80% of developers knowingly release applications with insecure code, but experts say security and development don't have to be at odds.
The biggest and baddest ransomware groups love an easy vulnerability.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
More than 80% of developers knowingly release applications with insecure code, but experts say security and development don't have to be at odds.
The biggest and baddest ransomware groups love an easy vulnerability.
The free newsletter covering the top industry headlines

source