FBI: State hackers exploiting new Zoho zero-day since October

The Federal Bureau of Investigation (FBI) says a zero-day vulnerability in Zoho’s ManageEngine Desktop Central has been under active exploitation by state-backed hacking groups (also known as APTs or advanced persistent threats) since at least October.

“Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers,” the FBI’s Cyber Division said [PDF].

“The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.”

The security flaw, patched by Zoho in early December, is a critical authentication bypass vulnerability attackers could exploit to execute arbitrary code on vulnerable Desktop Central servers.

CISA added CVE-2021-44515 to its Known Exploited Vulnerabilities Catalog on December 10, requiring federal agencies to patch it before Christmas under Binding Operational Directive (BOD) 22-01.

Customers warned to patch their servers

After patching the vulnerability, the company also warned customers of ongoing exploitation attempts urging them to immediately deploy the security updates to block incoming attacks.

“As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” Zoho said.

To detect if your server was breached using this security flaw, you can use Zoho’s Exploit Detection Tool and go through the steps detailed here.

The company advises backing up critical business data, disconnecting impacted network systems, formatting all compromised servers, restoring Desktop Central, and updating to the latest build.

If signs of compromise are found, Zoho recommends initiating a password reset “for all services, accounts, Active Directory, etc. that has been accessed from the service installed machine,” together with Active Directory administrator passwords.

According to Shodan, there are over 2,900 ManageEngine Desktop Central instances exposed to incoming attacks.

ManageEngine servers under siege

In recent years, Zoho ManageEngine servers have been under constant targeting, with Desktop Central instances, for instance, having been hacked and access to their networks sold on hacking forums since July 2020.

Between August and October 2021, Zoho ManageEngine installations have also been attacked by nation-state hackers using tactics and tooling similar to those employed by the Chinese-linked APT27 hacking group.

In these attacks, the threat actors focused their efforts on breaching the networks of critical infrastructure organizations worldwide in three different campaigns.

They first used an ADSelfService zero-day exploit between early August and mid-September, then switched to an n-day AdSelfService exploit until late October, and moved to a ServiceDesk one starting with October 25.

Following these campaigns, the FBI and CISA issued joint advisories (1, 2) warning of APT actors exploiting these ManageEngine flaws to drop web shells on the networks of breached critical infrastructure orgs, including healthcare, financial services, electronics, and IT consulting industries.