Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
APT attackers are using a security vulnerability in ManageEngine Desktop Central to take over servers, deliver malware and establish network persistence.
Another Zoho ManageEngine zero-day vulnerability is under active attack from an APT group, this time looking to override legitimate functions of servers running ManageEngine Desktop Central and elevate privileges — with an ultimate goal of dropping malware onto organizations’ networks, the FBI has warned.
APT actors have been exploiting the bug, tracked as CVE-2021-44515, since at least late October, the feds revealed in an FBI Flash alert released last week. There is also evidence to support that it’s being used in an attack chain with two other Zoho bugs that researchers have observed under attack since September, according to the alert.
The latest vulnerability is an authentication-bypass vulnerability in ManageEngine Desktop Central that can allow an attacker to execute arbitrary code in the Desktop Central server, according to a Zoho advisory that addressed the issue, published earlier this month.
Indeed, the feds said they observed APT actors doing exactly that. More specifically, researchers observed attackers “compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials,” according to the Flash Alert.
Zoho has addressed the vulnerability and is urging organizations to update to the appropriate latest builds of ManageEngine Desktop Central due to “indications of exploitation,” the company said in its advisory.
Specifically, the company is advising enterprise customers who have builds10.1.2127.17 and below deployed to upgrade to build 10.1.2127.18; and those using builds 10.1.2128.0 to 10.1.2137.2 to upgrade to build 10.1.2137.3.
The bug is the third zero-day under active attack that researchers have discovered in the cloud platform company’s ManageEngine suite since September, spurring dire warnings from the FBI and researchers alike.
Though no one has yet conclusively identified the APT responsible, it’s likely the attacks are linked and those responsible are from China, previous evidence has shown.
Earlier this month, researchers at Palo Alto Networks Unit 42 revealed that state-backed adversaries were using vulnerable versions of ManageEngine ServiceDesk Plus to target a number of U.S. organizations between late October and November.
The attacks were related to a bug revealed in a Nov. 22 security advisory by Zoho alerting customers of active exploitation against newly registered CVE-2021-44077 found in Manage Engine ServiceDesk Plus. The vulnerability, which allows for unauthenticated remote code execution, impacts ServiceDesk Plus versions 11305 and below.
That news came on the heels of warnings in September by the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) that an unspecified APT was exploiting a then-zero-day vulnerability in Zoho ManageEngine’s password management solution called ADSelfService Plus.
Zoho issued a fix for the vulnerability, tracked as CVE-2021-40539, soon after; still, researchers observed attackers exploiting it later in November in their continued assault on defense, energy and healthcare organizations.
Unit 42 researchers combined the two previously known active attack fronts against Zoho’s ManageEngine as the “TitledTemple” campaign, and said earlier this month that there is evidence to link the APT responsible to China, although it is not conclusive.
The latest Flash Alert released by the FBI also shows a correlation between earlier APT attacks on ManageEngine and AdSelfService Plus, with malicious samples of code observed in the latest exploitation “downloaded from likely compromised ManageEngine
ADSelfService Plus servers,” according to the alert.
Those samples show initial exploitation of a Desktop Central API URL that allowed for an unauthenticated file upload of two different variants of webshells; the first variant was delivered using either the file name “emsaler.zip” or “eco-inflect.jar” in late October and mid-November, respectively; and a second variant using the file name “aaa.zip” in late November.
The webshell overrides the legitimate Desktop Central API servlet endpoint, “/fos/statuscheck,” and either filters inbound GET in the case of the second variant, or POST requests in the case of the first variant, to that URL path, according to the FBI. It then allows attackers to execute commands as the SYSTEM user with elevated privileges if the inbound requests pass the filter check.
The webshell allows attackers to conduct initial reconnaissance and domain enumeration, after which the actors use BITSAdmin to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe, according to the FBI. Attackers then sideload the dropper through AppLaunch execution, creating a persistent service to execute the AppLaunch binary moving forward.
“Upon execution, the dropper creates an instance of svchost and injects code with RAT-like functionality that initiates a connection to a command and control server,” according to the FBI.
Threat actors conduct follow-on intrusion activity through the RAT, including attempted lateral movement to domain controllers and credential dumping techniques using Mimikatz, comsvcs.dll LSASS process memory dumping, and a WDigest downgrade attack with subsequent LSASS dumping through pwdump, researchers observed.
The FBI Flash Alert includes a detailed list of indicators of compromise so organizations using Zoho’s ManageEngine Desktop Central can check to see if they are at risk or have been a victim of attack.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
There are 17,000npatched Log4j packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits.
A quarter-billion of those passwords were not seen in previous breaches that have been added to Have I Been Pwned.
Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
5 days ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source