FBI – APT Threat Actors Uses Zero-Day in Zoho ManageEngine Since October

Last week the US Federal Bureau of Investigation (FBI) warned that multiple APT threat actor groups are abusing a zero-day vulnerability on Zoho’s ManageEngine Desktop Central server since October. 

Although Zoho patched the vulnerability on December 3 this year, but, the hackers started the exploration of this zero-day bug in October. On ManageEngine Desktop Central servers, this zero-day bug has been tracked as CVE-2021-44515 with a severity tag of Critical.

This zero-day bug is an identity authentication bypass vulnerability of ManageEngine Desktop Central. 

According to the FBI report, On the Desktop Central server, this vulnerability allows hackers to circumvent the authentication mechanism and execute arbitrary programs.

Zoho is an Indian software company and the web version of the productivity software Zoho Office Suite is one of the hot items of Zoho.

But, apart from this, Zoho also has another ManageEngine brand that specializes in IT management for small and medium enterprises. And here the Desktop Central is the unified endpoint management solution in ManageEngine of Zoho. 

The Desktop Central helps small and medium enterprises to centrally manage the following things:- 

  • Internal servers
  • Personal computers
  • Smartphones or mobile phones
  • Tablets

Tactics, Techniques, and Procedures

Here below we have mentioned all the TTP that are used by the threat actors:-

  • DLL sideloading
  • Executing “live off the land” tools, e.g. bitsadmin
  • Network scanning, e.g. nbtscan, nb.exe
  • Powershell for command execution
  • Persistence through Windows Service
  • Downloading staged post-exploitation tools from other victim infrastructure
  • Credential dumping, e.g. Mimikatz, comsvcs.dll, WDigest downgrade and
  • pwdump 

Microsoft warned to patch servers

In October this year, a number of APT hacker groups maltreated this zero-day vulnerability. They replace the legitimate functions on Desktop Central with a malicious Webshell.

After that, they downloaded other attack tools to list and analyze the users and groups of the hacked webpages to conduct:-

  • Network reconnaissance
  • Attempt to move laterally
  • Collect account passwords everywhere

Here’s what Zoho stated:-

“As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible.”

However, in this case, you can use Zoho’s Exploit Detection Tool to check whether your server was breached or not using this zero-day security flaw. While apart from this, currently, more than 2,900 ManageEngine Desktop Central instances are exposed to incoming attacks.

Recommended Mitigations

Aside from releasing the security patch, for ManageEngine Desktop Central customers Zoho has also provided the following vulnerable build numbers for both Enterprise Customers and MSP Customers.

For Enterprise Customers:-

  • For builds 10.1.2127.17 and below, upgrade to 10.1.2127.18
  • For builds 10.1.2128.0 to 10.1.2137.2, upgrade to 10.1.2137.3

For MSP Customers:

  • For builds 10.1.2127.17 and below, upgrade to 10.1.2127.18
  • For builds 10.1.2128.0 to 10.1.2137.2, upgrade to 10.1.2137.3 

However, the FBI has strongly recommended users to apply the security patch immediately, and also keep proper track to find and report any concerning suspicious activity.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.