APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus.

The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus (on-premises) prior to version 11306. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the flaw will allow remote code execution.

The alert warns that APT actors and other threat groups are believed to be exploiting the vulnerability to upload executable files and place webshells on vulnerable systems. The webshells allow a range of different post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Zoho released a security advisory and patch to correct the CVE-2021-44077 flaw on September 16, 2021, with a further alert issued on November 22, 2021, warning that the vulnerability was being exploited in the wild. The first know exploits of the vulnerability were used in late October 2021, prior to any proof-of-concept exploit being publicly released, indicating the exploit for the vulnerability was developed by the APT actor.

According to Palo Alto Networks, the APT actor has conducted three campaigns this year, first exploiting the CVE-2021-40539 in attacks on US ports and defense firms, the second exploited the same vulnerability on targets in a range of different sectors, including healthcare, with the latest campaign exploiting the CVE-2021-44077 vulnerability in attacks on the healthcare, education, technology, defense, finance, and entertainment sectors.

In the latest campaign, the APT actor exploits the flaw by sending two requests to the REST API, one uploads an executable file and the second launches the payload. The flaw can be exploited without authentication on vulnerable ServiceDesk servers and has been exploited to deliver a variant of the Godzilla webshell that is different from the variant used in the first two campaigns.

Palo Alto Networks has found evidence that suggests the attack may be conducted by the Chinese nation-state APT group tracked as APT 27/Emissary Panda, although the evidence is not sufficient to attribute the attacks to that group. The attacks have mostly been conducted in the United States, with a small number of attacks conducted on targets in India, Turkey, Russia, and the UK.

The FBI and CISA have shared technical details of the attacks, indicators of compromise, network indicators, and YARA rules in the security Alert AA21-336A.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.