Hackers Employ In-House Zoho ServiceDesk Exploit for Webshells Distribution

Hackers Employ In-House Zoho ServiceDesk Exploit for Webshells Distribution

An advanced persistent threat (APT) organization that previously targeted a vulnerability in the Zoho ManageEngine ADSelfService Plus software has shifted its focus to a different Zoho product. The actor was detected leveraging CVE-2021-44077, an unauthenticated remote code execution vulnerability in Zoho ServiceDesk Plus versions 11305 and older.

On September 16, 2021, Zoho patched the RCE weakness, and on November 22, 2021, the business issued a security warning to warn users of active exploitation. On the other hand, users were sluggish to upgrade and so remained exposed to attacks. 

According to a study from Palo Alto Networks’ Unit42, there is no publicly available proof-of-concept attack for CVE-2021-44077, implying that the APT group using it created the code and is utilizing it solely for the time being. The actors take advantage of the weakness by sending two REST API requests: one to upload an executable (msiexec.exe) and another to launch the payload. This procedure is carried out remotely and does not necessitate logging in to the vulnerable ServiceDesk server.

When ServiceDesk runs the payload, a mutex is generated. A hardcoded Java module is written to “../lib/tomcat/tomcat-postgres.jar,” a form of the ‘Godzilla’ webshell loaded into ServiceDesk after terminating ‘java.exe’ and restarting the process. As per the researchers, the actor employed the same webshell secret key as in the ADSelfService Plus campaign, but this time it installs an Apache Tomcat Java Servlet Filter.

“The fact that this Godzilla webshell is installed as a filter means that there is no specific URL that the actor will send their requests to when interacting with the webshell, and the Godzilla webshell filter can also bypass a security filter that is present in ServiceDesk Plus to stop access to webshell files” – states Unit42’s analysis.

Patching Zoho software as soon as possible is strongly advised, as is reviewing any files produced in ServiceDesk Plus folders since early October 2021. Network scans now identify around 600 susceptible systems in the United States, with another 2,100 in India, Russia, the United Kingdom, Turkey, and other countries. Government systems, universities, healthcare companies, and other essential entities have vulnerable deployments.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: