According to the FBI, state-sponsored hacker organizations (APTs or Advanced Persistent Threats) have been actively exploiting a zero-day vulnerability in Zoho’s ManageEngine Desktop Central since October.
“Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers,” the FBI’s Cyber Division stated.
“The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.”
The security issue, which Zoho addressed in early December, is a significant authentication bypass vulnerability that attackers could use to execute arbitrary code on the vulnerable Desktop Central servers.
On December 10, CISA added CVE-2021-44515 to its Known Exploited Vulnerabilities Catalog, mandating government agencies to fix it before Christmas under BOD (Binding Operational Directive) 22-01. Following the patching of the vulnerability, the business issued a warning to consumers about ongoing exploitation efforts, advising them to install the security updates as soon as possible to prevent incoming attacks.
Zoho said they highly suggest users upgrade their installations to the newest build as soon as possible, since they are seeing evidence of exploitation of this vulnerability. You may use Zoho’s Exploit Detection Tool and follow the procedures outlined here to see whether your server has been hacked using this security weakness.
The firm recommends backing up essential corporate data, unplugging damaged network systems, formatting all compromised servers, restoring Desktop Central, and updating to the newest release. Suppose pieces of evidence of penetration are discovered. In that case, Zoho suggests resetting passwords “for any services, accounts, Active Directory, and other systems that have been accessed from the service installed computer,” as well as Active Directory administrator credentials.
More than 2,900 ManageEngine Desktop Central instances are vulnerable to incoming cyberattacks, according to Shodan.