Flash Notice: APT Group Continues to Exploit Zoho ManageEngine ServiceDesk Plus Vulnerability

Overview

Read our most recent Flash Notice for the updates on this vulnerability. 

In early December 2021, CISA reported that an APT group was exploiting a vulnerability (previously known as CVE-2021-44515) in Zoho ManageEngine ServiceDesk Plus (IT help desk software with asset management) that was unsuccessfully patched. The vulnerability (now known as CVE-2021-44077 due to unsuccessful patching) is an authentication bypass vulnerability that can allow attackers to upload executable files and place webshells. The webshells enable the attacker to conduct post-exploitation activities (lateral movement, exfiltrating registry hives, and Active Directory files, stealing administrator credentials, etc).  

The Zoho update released on September 16, 2021, attempted to patch this vulnerability, but it was not successful. CVE-2021-44077 affects versions 11305 and earlier, and malicious actors have been using the flaw to gain access to ManageEngine ServiceDesk Plus since late October 2021. Over the past three months, at least 13 undisclosed organizations across the energy, healthcare, education, and technology industries have been compromised by this APT threat actor. There are over 4,700 global internet-facing instances of ServiceDesk Plus, of which 2,900 (62%) are assessed to be vulnerable to exploitation. Currently, the threat actors have been seen using the following tactics, techniques, and procedures:  

• Writing webshells [T1505.003] to disk for initial persistence 
• Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140] 
• Conducting further operations to dump user credentials [T1003] 
• Living off the land by only using signed Windows binaries for follow-on actions [T1218] 
• Adding/deleting user accounts as needed [T1136] 

• Stealing copies of the Active Directory database (NTDS.dit) [T1003.003] or registry hives 
• Using Windows Management Instrumentation (WMI) for remote execution [T1047] 
• Deleting files to remove indicators from the host [T1070.004] 
• Discovering domain accounts with the net Windows command [T1087.002] 
• Using Windows utilities to collect and archive files for exfiltration [T1560.001] 

• Using custom symmetric encryption for command and control (C2) [T1573.001] 

According to CISA and the FBI, the source of the vulnerability is an improper security configuration process used in the application. It allows attackers to gain unauthorized access to ServiceDesk Plus data through some of its application URLs. The URL has the ability to bypass the authentication process and fetch required data, delivering it to an attacker who then gains unauthorized access or carries out another attack.  

Palo Alto Networks stated that the observed recent activity is tied to a persistent APT threat actor that initially used a zero-day vulnerability in ADSelfService in August and September 2021. The threat actor then changed their method of attack and decided to exploit CVE-2021-44077 and is now leveraging the vulnerability in the ServiceDesk Plus software. Zoho has classified the severity of this vulnerability as “severe” and has issued a patch. They have also developed an Exploit Detection Tool that can help identify if an installation has been affected by the vulnerability. You can go here to download ManageEngine's Exploit Detection Tool.  After downloading follow these steps:  

• Extract the tool to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder, whichever is applicable for you. 
• Open command prompt with admin privilege and navigate to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder. 
• Run the command RCEScan.bat 
• As shown in the screenshots below, if your installation is affected, you will be thrown the message "Compromised". If your installation is unaffected, you will receive the message "Not Compromised".
   

How Avertium is Protecting Our Clients:

• To help protect your organization from becoming a victim of this vulnerability, Avertium offers SIEM and EDR services for organizations who need protection against threat actors trying to exploit CVE-2021-44077. A robust SIEM Implementation is one of the most effective weapons you can leverage in the increasingly complex battle to secure your organization. Our EDR service will continuously monitor a system for suspicious activity within the security parameter.  

• If your organization is in need of further protection, you may want to utilize Avertium’s Vulnerability Management (vulnerability management as-a-service) to set up extra safeguards.  

• Reach out to your Service Delivery Manager or Account Executive if you need assistance applying any of the above services. 

Avertium's recommendations

• CISA and the FBI recommend the following:  

• • Apply patches to all Zoho software. 
  • Evaluate the business need and risk associated with any internet facing Zoho products. 
  • Review files that have been created in ServiceDesk Plus directories since early October 2021. 
  • Domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised. 
  • Also, Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide. You can find Yara Rules here.  

indicators of compromise (iocs):

• passwordmanagerpromsp[.]com 
• seed.nkn[.]org 
• /RestAPI/ImportTechnicians?step=1 
• 67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015 
• 068D1B3813489E41116867729504C40019FF2B1FE32AAB4716D429780E666324 
• 759bd8bd7a71a903a26ac8d5914e5b0093b96de61bf5085592be6cc96880e088 
• 262cf67af22d37b5af2dc71d07a00ef02dc74f71380c72875ae1b29a3a5aa23d 

• a44a5e8e65266611d5845d88b43c9e4a9d84fe074fd18f48b50fb837fa6e429d 
• ce310ab611895db1767877bd1f635ee3c4350d6e17ea28f8d100313f62b87382 

• 75574959bbdad4b4ac7b16906cd8f1fd855d2a7df8e63905ab18540e2d6f1600 
• 5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb 
• ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7 
• 009d23d85c1933715c3edcccb46438690a66eebbcccb690a7b27c9483ad9d0ac  
• 083bdabbb87f01477f9cf61e78d19123b8099d04c93ef7ad4beb19f4a228589a 

• 342e85a97212bb833803e06621170c67f6620f08cc220cf2d8d44dff7f4b1fa3 
• 805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f 
• 3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd 
• 5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755 
• 3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d 
• 342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae 
• 7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72 
• 3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090 
• b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665
• e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c 
• bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da 
• d0c3d7003b7f5b4a3bd74a41709cfecfabea1f94b47e1162142de76aa7a063c7 
• 7d2780cd9acc516b6817e9a51b8e2889f2dec455295ac6e6d65a6191abadebff 

• • C:\ManageEngine\ServiceDesk\bin\msiexec.exe 
  • C:\ManageEngine\ServiceDesk\lib\tomcat\tomcat-postgres.jar 
  • C:\Windows\Temp\ScriptModule.dll 
  • C:\ManageEngine\ServiceDesk\bin\ScriptModule.dll 
  • C:\Windows\system32\ME_ADAudit.exe 
  • c:\Users\[username]\AppData\Roaming\ADManager\ME_ADManager.exe 
  • %ALLUSERPROFILE%\Microsoft\Windows\Caches\system.dat 
  • C:\ProgramData\Microsoft\Crypto\RSA\key.dat 
  • c:\windows\temp\ccc.exe 

references

APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus | CISA 

Determined APT is exploiting ManageEngine ServiceDesk Plus vulnerability (CVE-2021-44077) - Help Net Security 

APT Conducts Active Campaign Against ManageEngine ServiceDesk Plus (paloaltonetworks.com) 

Related Reading:

APT Threat Actor Profile

Contact us for more information about Avertium’s managed security service capabilities.