Critical Zoho ManageEngine ServiceDesk Plus Vulnerability Exploited

THE THREAT

eSentire has observed active exploitation of the critical Zoho ManageEngine ServiceDesk Plus vulnerability CVE-2021-44077 (CVSS: 9.8). The vulnerability is classified as Remote Code Execution (RCE) and allows a remote and unauthenticated threat actor to upload executable files and deploy web shells on compromised assets.

Organizations making use of Zoho products are strongly recommended to ensure relevant security patches are deployed and run the available exploitation detection tool, provided by Zoho ManageEngine, to identify potential signs of compromise.

What we’re doing about it

• eSentire has developed and deployed eSentire MDR for Endpoint rules to identify exploitation activity
• eSentire has performed threat hunts for all eSentire MDR for Endpoint clients
• eSentire security teams are tracking this threat for additional detection and prevention opportunities

What you should do about it

• After performing a business impact review, update to ServiceDesk Plus build 11306 or higher
• Ensure an endpoint monitoring solution is deployed to detect exploitation
• Run the exploitation detection tool provided by Zoho ManageEngine

Additional information

eSentire discovered malicious activity while deploying detection for exploitation of CVE-2021-44077 and associated threats. CISA and the FBI have warned that Advanced Persistent Threat groups are actively exploiting CVE-2021-44077. Exploitation of this vulnerability may indicate that a wider intrusion has occurred, including the compromise of administrator credentials, lateral movements, and data exfiltration.

References:

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44077
[2] https://www.manageengine.com/products/service-desk/security-response-plan.html
[3] https://us-cert.cisa.gov/ncas/alerts/aa21-336a