New Warning: APTs are Targeting Zoho ManageEngine

What has happened?

• Successful exploitation of the vulnerability leads to the placement of web shells to compromise administrator credentials, perform lateral movement, and steal registry hives and Active Directory files.
• Since August, the vulnerability is being exploited and attackers are writing web shells to disk for persistence, obfuscating files or info, and further operations to dump user credentials.
• Some attackers have abused the flaw to add/delete user accounts, steal copies of the Active Directory database, delete files to remove indicators, and use Windows tools to collect/archive files. 

Modus Operandi

• According to CISA, nation-state hackers are abusing the vulnerability to upload a .zip file with a JavaServer Pages (JSP) web shell pretending to be an x509 certificate: service.cer. 
• After that, more requests are being made from various API endpoints to exploit the victim's system. After initial abuse, /help/admin-guide/Reports/ReportGenerate[.]jsp is used to access the web shell.
• The attacker tries to move laterally with WMI, obtain access to a domain controller, dump NTDS[.]dit and SECURITY/SYSTEM registry hives, and continue on with the compromise. 
• Additionally, the attackers run clean-up scripts to remove evidence of the entry point of infection and hide any connection between the web shell and exploitation of the vulnerability.

Conclusion