Dive Brief:

• An advanced persistent threat (APT) group has been exploiting a zero-day vulnerability (CVE-2021-44515) in Zoho ManageEngine Desktop Central servers since October, an FBI flash alert issued Friday said. The vulnerability does not apply to Desktop Central Cloud. 
• The threat group dropped a webshell to override "a legitimate function of Desktop Central," the FBI said. The zero day allows a malicious actor to bypass authentication and deploy arbitrary code in the server, the company said in guidance published Dec. 3. "We are noticing indications of exploitation of this vulnerability … we strongly advise customers to update their installations." 
• Zoho designated the vulnerability as critical. Threat actors are performing follow-on intrusions, attempting lateral movement to domain controllers and credential dumping.

Dive Insight:

Zoho, which owns ManageEngine products, has issued several updates to critical vulnerabilities since September. While the initial release of the vulnerability was made earlier this month, the FBI found activity tracing back several months. Enterprise and MSP customers are impacted by the latest vulnerability. 

In September, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning concerning the exploitation of ManageEngine ADSelfService Plus, a critical vulnerability (CVE-2021-40539) that enabled remote code execution. "The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies," CISA warned. 

By November, Palo Alto Networks' Unit 42 found another attack campaign in ManageEngine ADSelfService Plus, unrelated to the one CISA warned of in September.  The second campaign began in September and ran through early October, compromising at least nine entities worldwide, Unit 42 found.

The exploits of the Desktop Central vulnerability were occurring around the same time, and CISA added the latest vulnerability to its catalog of exploited vulnerabilities on Dec. 10. CISA has required other government agencies to issue a patch by Dec. 24. 

ManageEngine has an exploit detection tool available to customers to check if the vulnerability has affected their version. The indicators of compromise (IOC) include: 

• The file "aaa.zip" when navigated to /lib
• The file "help_me.jsp" when navigated to \webapps\DesktopCentral\html

The FBI is requesting businesses that find IOC report their findings to their local field office. ManageEngine customers should also report evidence of unauthorized account access, lateral movement, malicious IPs found via log file searches, or presence of webshell code on the affected servers.  

"Recipients of this information are encouraged to contribute any additional information that they may have related to this threat," the alert said. 

Before issuing the update, ManageEngine recommends customers have backups of their critical business data. If a customer is not impacted by the zero day, the company still wants it to update Desktop Central to the latest version. 

For enterprise customers, the vulnerable builds include:  

• 10.1.2127.17 and below with directions to update to 10.1.2127.18
• 10.1.2128.0 to 10.1.2137.2 with directions to update to 10.1.2137.3