The FBI has issued a warning regarding a critical zero-day vulnerability in Zoho’s ManageEngine Desktop Central. Since October, nation-state actors have been exploiting this vulnerability.

What has happened

Recently, the FBI disclosed that the critical zero-day vulnerability (CVE-2021-44515) is being exploited by attackers to bypass authentication and execute arbitrary code.
  • The APT groups are targeting Desktop Central servers, dropping a webshell to override a genuine function of Desktop Central and downloading post-exploitation tools.
  • Additionally, the threat groups are observed enumerating domain users and groups, carrying out network reconnaissance, performing lateral movement, and finally dumping credentials.
  • Searching on the Shodan search engine for exposed ManageEngine Desktop Central revealed 2,980 systems that might be at risk of attack.

Additional insights

  • Zoho has released a security advisory for this new zero-day vulnerability and already fixed the flaw in early December. 
  • Moreover, the CISA added CVE-2021-44515 to the Known Exploited Vulnerabilities Catalog, instructing federal agencies to fix it before Christmas.

Ending notes

The recent warning includes IoCs, Yara rules, TTPs, and mitigations as well. Such warnings should be considered seriously and organizations must update their software as soon as possible.
Cyware Publisher

Publisher

Cyware