The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are warning of active exploitation of a newly patched flaw in Zoho's ManageEngine ServiceDesk Plus product to deploy web shells and carry out an array of malicious activities.
Tracked as CVE-2021-44077 (CVSS score: 9.8), the issue relates to an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus versions up to and including 11305 that, if left unfixed, "allows an attacker to upload executable files and place web shells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files," CISA said.
"A security misconfiguration in ServiceDesk Plus led to the vulnerability," Zoho noted in an independent advisory published on November 22. "This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks." Zoho addressed the same flaw in versions 11306 and above on September 16, 2021.
CVE-2021-44077 is also the second flaw to be exploited by the same threat actor that was formerly found exploiting a security shortcoming in Zoho's self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus (CVE-2021-40539) to compromise at least 11 organizations, according to a new report published by Palo Alto Networks' Unit 42 threat intelligence team.
"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software," Unit 42 researchers Robert Falcone and Peter Renals said. "Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus."
The attacks are believed to be orchestrated by a "persistent and determined APT actor" tracked by Microsoft under the moniker "DEV-0322," an emerging threat cluster that the tech giant says is operating out of China and has been previously observed exploiting a then zero-day flaw in SolarWinds Serv-U managed file transfer service earlier this year. Unit 42 is monitoring the combined activity as the "TiltedTemple" campaign.
Post-exploitation activities following a successful compromise involve the actor uploading a new dropper ("msiexec.exe") to victim systems, which then deploys the Chinese-language JSP web shell named "Godzilla" for establishing persistence in those machines, echoing similar tactics used against the ADSelfService software.
Unit 42 identified that there are currently over 4,700 internet-facing instances of ServiceDesk Plus globally, of which 2,900 (or 62%) spanning across the U.S., India, Russia, Great Britain, and Turkey are assessed to be vulnerable to exploitation.
Over the past three months, at least two organizations have been compromised using the ManageEngine ServiceDesk Plus flaw, a number that's expected to climb further as the APT group ramps up its reconnaissance activities against technology, energy, transportation, healthcare, education, finance, and defense industries.
Zoho, for its part, has made available an exploit detection tool to help customers identify whether their on-premises installations have been compromised, in addition to recommending that users "upgrade to the latest version of ServiceDesk Plus (12001) immediately" to mitigate any potential risk arising out of exploitation.