The Federal Bureau of Investigation (FBI) has issued a warning about a recent vulnerability in Zoho’s ManageEngine Desktop Central software being exploited.
Malware operators are using an authentication bypass bug in the IT management platform to compromise Desktop Central first, then download other remote access tools and malware with the goal of moving laterally through the network, according to the law enforcement agency in a flash alert released Monday. The security flaw, identified as CVE-2021-44515, is an authentication bypass that can be used to get remote code execution. The problem affects Service Desk Plus Professional and Enterprise editions, possibly affecting tens of thousands of enterprises throughout the world.
The weakness is identified as CVE-2021-44515 and is categorized as authentication bypass within Desktop Central API’s URL processing, according to the FBI document and a Manage Engine notice. While such issues are often not regarded major security threats, in the context of an endpoint management server, this flaw poses a significant danger and has been assigned a critical severity rating.
The vulnerability, which was rated critical (CVSS score of 9.8), was made public in early December, when Zoho warned that threat actors had already used it in attacks.
The FBI now claims that advanced persistent threat (APT) actors have been exploiting the system since at least October 2021. On compromised Desktop Central servers, the attackers have been dropping a webshell to override a legal function and set up for post-compromise activity.
The attackers utilized the web shells to drop more tools, enumerate domain users, conduct reconnaissance, and move laterally in the network to steal passwords.
“An adversary can bypass authentication and execute arbitrary code in the Desktop Central server by exploiting an authentication bypass vulnerability in Manage Engine Desktop Central,” according to Manage Engine. “We highly advise customers to upgrade their installations to the newest release as soon as possible, as we are seeing indications of exploitation of this vulnerability.”
The dropper generates an instance of svchost and injects malware with RAT-like functionality that connects to a command and control server when it is run “In its notice, the FBI stated.
“Attempts at lateral movement to domain controllers and credential dumping techniques employing Mimikatz, comsvcs.dll LSASS process memory dumping, and a WDigest downgrade attack with subsequent LSASS dumping through pwdump are all carried out through the RAT.
In these attacks, two webshell variations were employed, both meant to override a Desktop Central API servlet endpoint and get access to inbound GET or outbound POST requests, as well as execute commands with System privileges.
The attackers employed a ShadowPad version dropper and a valid binary to gain persistence after initial reconnaissance. When the dropper is run, it injects backdoor code into an instance of svchost, which allows it to connect to a command and control (C&C) server and carry out further malicious actions.
To guarantee that potential threats are prevented, organisations should upgrade their ManageEngine Desktop Central installations as soon as feasible. Builds 10.1.2128.0 to 10.1.2137.2 should be upgraded to 10.1.2137.3, while those running version 10.1.2127.17 and below should upgrade to 10.1.2127.18.
Administrators who are concerned that their networks have been infected with the issue can utilise ManageEngine’s unique detection tool to look for exploits. Otherwise, the issue can be fixed by updating Desktop Central’s server installation to the newest build.
The vulnerability was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog earlier this month, advising enterprises to deploy the available patches as soon as feasible.